DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “Addendum”) applies in the following two circumstances: (i) the Company is the Data Controller and Business, with Textkernel acting as the Data Processor and Service Provider, or (ii) the Company is a Data Processor and Service Provider under a separate agreement with its customers, with Textkernel acting as a Sub-Processor and Sub-Service Provider. This Addendum is subject to the terms, conditions and limitations of the Agreement regarding the Company’s collection, use, processing and storage (as applicable) of Personal Data in the Service. All capitalized terms not defined below shall have the meaning set forth in the Agreement.

1) Definitions

1.1) In this Addendum, capitalized words and expressions, whether in single or plural, have the meaning specified in the Agreement and as set out below:

Business, Controller, Processor, Service Provider, Sub-Processor, Data Subject, Personal Data, Personal Data Breach and Process/Processing: all shall have the meanings set out in the GDPR or other applicable Data Privacy Laws, as amended or replaced from time to time;

Data Privacy Laws: means the laws and regulations, guidance and codes of practice relating to data privacy and data protection, information security and privacy as applicable to Licensee as Data Controller and Business (or Data Processor and Service Provider, as applicable) and Licensor as Data Processor and Service Provider in the following geographies where Licensor offers its Services: (i) United States federal and state data protection and privacy laws, including without limitation the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (together with the CCPA, the “CPRA”); (ii) Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations; (iii) the United Kingdom General Data Protection Regulation (“UK GDPR”) and the Data Protection Act, 2018; (iv) the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); (v) the Swiss Federal Data Protection Act (“Swiss DPA”); (vi) the Dutch General Data Protection Regulation Implementation Act of 2018; and (vii) the Australian Federal Privacy Act 1988 and Australian Privacy Principles.

2) Purpose of the Personal Data Processing

2.1) The Company and Textkernel have concluded the present Addendum for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of Data Subjects and the applicable purposes of Processing, is included in Annex 1 of the SCCs (as defined below).

2.2) The Company is responsible and liable for the Processing of Personal Data in relation to the Agreement and agrees that Processing is in compliance with applicable Data Protection Laws. The Company will indemnify and hold Textkernel harmless against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.

2.3) Textkernel undertakes to Process Personal Data only on documented instructions from the Company, including with regard to transfers of Personal Data to a third country or an international organisation, for the purpose of the activities referred to in this Addendum and as otherwise set forth in the Agreement, unless a legal provision under Union or Member State law to which Textkernel is subject requires Textkernel to do so. In such a case, Textkernel shall promptly inform the Company of that legal requirement before Processing, unless that law prohibits the disclosure of such information on important grounds of public interest.

The Company acknowledges (and to the extent legally required: agrees) that Textkernel processes Personal Data for statistical; analytical; product and Service development, testing and enhancement; and artificial intelligence and machine learning purposes.

3) Further Use of the Personal Data for Textkernel’s Own Purposes

3.1) The Company acknowledges (and to the extent legally required: agrees) that Textkernel processes Personal Data for various purposes with regard to Textkernel’s artificial intelligence and machine learning services, including:

develop new services and functionalities for customers/users of services;
improve performance of services;
training and enhancement of AI models;
personalization of services for customers/users of the services;
customer support optimization.

To the extent legally required, the Company agrees when signing the Agreement to Textkernel’s use of Personal Data for the purposes set forth above.

3.2) Textkernel ensures that the further processing of Personal Data is lawful and complies with the Data Protection Laws. For more information on Textkernel’s processing activities, the Company may refer to https://www.textkernel.com/privacy-statement/.

3.3) Company ensures that the Processing of Personal Data which will be further used by Textkernel is lawful and complies with Data Protection Laws. It also ensures, in its capacity of Data Controller/Data Processor of the Processing, that it should inform the Data Subjects/its customers on the transfer of Personal Data to Textkernel, the latter acting in its capacity of independent Data Controller for the above mentioned purposes. The Company should also offer the Data Subjects/its customers to opt-out, insofar the legal basis is the legitimate interests of Textkernel or third parties.

4) Technical and Organizational Provisions

4.1) Textkernel will, ensure compliance with its obligations as a Data Processor pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will include an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. Textkernel will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.

5) Confidentiality

5.1) Textkernel will require the employees that are involved in the provision of the Service to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strictly confidential all Personal Data.

6) Transborder Data Processing

6.1) Company acknowledges (and to the extent legally required: agrees) that Personal Data of EU and UK Data Subjects will be processed and transferred to Textkernel in accordance with this Addendum and the Data Privacy Framework for transfers to the US and Standard Contractual Clauses (“SCCs“), as set forth at https://www.textkernel.com/terms-and-agreements/standard-contractual-clauses/, for transfers to any country without an adequacy decision pursuant to GDPR Article 45(3). Company acknowledges (and to the extent legally required: agrees) that Textkernel may Process and transfer Personal Data to Bullhorn, Inc. and its group companies and their Affiliates, subcontractors and Sub-Processors located in the US and other international jurisdictions, provided that Bullhorn and its Affiliates, subcontractors and Sub-Processors: (i) maintain (if applicable) certification under the applicable Data Privacy Framework, as may be updated or replaced with an equivalent regulatory scheme by a government authority; (ii) enter into and comply (if applicable) with the SCCs if Company is located in the European Economic Area, Switzerland or the UK; or (iii) implement, as applicable, such other international data transfer mechanism recognized as adequate by applicable Data Protection Laws.

7) Sub-Processors

7.1) Textkernel is entitled to outsource the implementation of the Processing to Sub-Processors, either wholly or in part, which parties are listed at https://www.bullhorn.com/legal/sub-processors/. In case Textkernel wishes to enable new Sub-Processors, Textkernel will provide notice to the Company of any intended changes concerning the addition or replacement of Sub-Processors. The Company shall be entitled to object to such changes on the basis of reasonable, objective grounds within 10 Business Days of receipt of the notification. If Company does not object during such time period, the new Sub-Processor(s) shall be deemed accepted.

7.2) Textkernel respects the GDPR’s conditions for engaging a Sub-Processor and contractually obligates each Sub-Processor to comply with the applicable data protection obligations, including confidentiality obligations, notification obligations and security obligations relating to the Processing of Personal Data, which obligations and measures must be consistent with the provisions of this Addendum.

8) Liability

8.1) With regard to the liability of the parties under this Addendum, and except for Company’s indemnification obligations set forth herein, the sections in the Agreement regarding the limitation of liability apply.

9) Personal Data Breach

9.1) In the event Textkernel becomes aware of any Data Breach of the Company’s Personal Data it will notify Company without undue delay.

9.2) Textkernel will, insofar as reasonable and at the cost of Company, provide all reasonable information requested by Company in order for Company to comply with its legal obligations relating to the identified Data Breach.

9.3) Textkernel will not be responsible and/or liable for the (timely and correctly) notification obligation of the Company to the relevant supervisory authority and/or Data Subjects, as meant in Articles 33 and 34 of the GDPR.

10) Cooperation

10.1) Textkernel taking into account the nature of the Processing, and insofar as reasonably possible, shall provide reasonable assistance to Company upon request to assist Company with its obligations under Articles 32 through 36 of the GDPR and to respond to requests for exercising rights of Data Subjects under GDPR, in particular the right of access (Article 15 of the GDPR), rectification (Article 16 of the GDPR), erasure (Article 17 of the GDPR), restriction (Article 18 of the GDPR), data portability (Article 20 of the GDPR) and the right to object (Articles 21 and 22 of the GDPR). Textkernel will forward a complaint or request from a Data Subject with regard to the Processing of Personal Data to the Company as soon as possible, as the Company is responsible for handling the request. Textkernel is entitled to charge any costs associated with the cooperation with the Company.

10.2) Textkernel will, insofar as reasonably possible and taking into account the nature of the Processing, provide assistance to the Company in fulfilling the Company’s obligation pursuant to the GDPR to carry out a data protection impact assessment (Articles 35 and 36 of the GDPR). Textkernel is entitled to charge any costs associated with the cooperation with the Company.

10.3) Textkernel will provide the Company with all the information reasonably necessary to demonstrate that Textkernel fulfills its obligations under the GDPR and this Addendum. Furthermore, Textkernel will – at the request of Company – enable and contribute to audits, including inspections by Company or an auditor that is authorized by Company (provided such auditor is not a competitor of Textkernel or its Affiliates). Textkernel is entitled to charge any costs associated with any audit by, or on behalf of, the Company.

10.4) In case Textkernel is of the opinion that an instruction of the Company infringes the GDPR or other applicable Data Protection Laws, Textkernel will inform the Company immediately.

11) Termination and Miscellaneous

11.1) This Addendum shall be valid for the duration of the provision of the Services within the Agreement.

11.2) With regard to the termination under this Addendum the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, Textkernel will, at the first request of the Company, delete or return all the Personal Data, and delete all existing copies, unless Textkernel is legally required to store (part of) the Personal Data.

11.3) The Company will adequately inform Textkernel about the (statutory) retention periods that apply to the Processing of Personal Data by Textkernel.

11.4) The obligations laid down in this Addendum which, by their nature, are designed to continue after termination will remain in force after the termination of this Addendum.

11.5) The choice of law and competent court comply with the applicable provisions of the Agreement.

TEXTKERNEL’S PRODUCTS

NAVIGATE TEXTKERNEL’S TECHNOLOGY OFFERING

By Industry

By Use Case

TEXTKERNEL’S SOLUTIONS

NAVIGATE TEXTKERNEL’S SOLUTIONS OFFERING

TEXTKERNEL CONNECTS WITH INDUSTRY LEADERS WORLDWIDE

DEVELOPING A GLOBAL NETWORK OF EXCELLENCE

Helping organisations connect people and jobs

OUR COMPANY

EMPOWER YOUR TEXTKERNEL EXPERIENCE

WELCOME TO TEXTKERNEL’S LEARN & SUPPORT HUB