WhoAI Data Processing Agreement

This Data Processing Addendum (“DPA”) is between WhoAI (“WhoAI”) and the customer (“Customer”) engaging WhoAI’s Services. This DPA is hereby incorporated into and deemed part of that particular Master Services Agreement or Terms of Service, as applicable, by and between the Parties under which the Services are provided (in either case, the “Agreement”). Customer and WhoAI are each a “Party” and are together the “Parties.” For clarity, the terms “WhoAI” and “Customer” shall include the Parties’ respective affiliates and subsidiaries.

This DPA applies to WhoAI to the extent that WhoAI Processes Customer Personal Data in order to provide the services specified in the Agreement (the “Services”). This DPA does not apply to Relationship Contact Data exchanged between the Parties. Capitalized terms not specifically defined herein shall have the meaning set out in the Agreement. In the event of a conflict between the terms of the Agreement as they relate to the processing of Customer Personal Data and this DPA, the DPA shall prevail.

1. DEFINITIONS

• “Data Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of personal data.

• “Data Processor” means a natural or legal person, public authority, agency or other body which Processes personal data on behalf of the Data Controller.

• “Data Privacy Laws” means state and federal laws of the United States that regulate the protection, privacy, and/or security of “personal data,” “personal information,” “personally identifiable information,” any other like terms, and that are applicable to WhoAI’s Processing of Customer Personal Data under the Agreement. References to “law” herein shall be deemed to include Data Privacy Laws, without limitation.

• “Customer Personal Data” means the following categories of data when provided to WhoAI by Customer under the Agreement and identifying a Job Candidate either alone or in combination with other data: name; contact information; resume information; work history and other professional information; recordings of interviews; location information; interview assessments; communications content; other data communicated to WhoAI during Interviews.

• “Interview” means any Customer-directed interaction between a Job Candidate and WhoAI utilizing WhoAI Services.

• “Job Candidate” means any individual being directed to utilize the Services by a Customer.

• “Process” “Processes” or “Processing” means any operation or set of operations that are performed on data, whether or not by automated means, including, collection, recording, organization, structuring, storage, analysis, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

• “Security Incident” means any situation in which WhoAI confirms that Customer Personal Data under WhoAI’s direct control has been accessed, acquired, disclosed, altered, lost, destroyed, or used by unauthorized persons in an unauthorized manner.

• “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Customer Personal Data to a third party for monetary or other valuable consideration.

1.10 “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Customer Personal Data to a third party for cross-context behavioral advertising  for monetary or other valuable consideration.

1.11. “Subprocessor” means any third-party service provider of WhoAI and to which WhoAI provides or makes available Customer Personal Data for Processing to be carried out on behalf of Customer. For clarity, Subprocessors do not include third parties with whom Customer or its personnel directs WhoAI to interact with or share Customer Personal Data, including third parties connected through WhoAI services or products. WhoAI shall have no responsibility for third parties with whom Customer chooses to interact or provide Customer Personal Data.

2. SCOPE & CUSTOMER OBLIGATIONS

• _Customer will be considered the Data Controller with respect to Customer Personal Data and appoints WhoAI as a Data Processor of Customer Personal Data.

• Customer acknowledges and agrees that, as described in the WhoAI Privacy Notice, notwithstanding any other provision of the Agreement or this DPA, WhoAI may use Customer Personal Data for internal business purposes, including to: (i) enhance, analyze, develop or troubleshoot WhoAI products and services; (ii) comply with applicable laws (including law enforcement requests or compulsory disclosures); (iii) help ensure the internal security of WhoAI’s products and services and prevent fraud or mitigate risk; (iv) refine WhoAI algorithms using Interview data; (v) provide Customers with Job Candidate comparisons; (vi) provide benchmarking data across Customers; (vii) analyze data for product improvement; (viii) for the purposes stated in the WhoAI Privacy Notice; (ix) for any other purposes contemplated or permitted by the Agreement, this DPA, or by applicable law (each of the foregoing, along with the provision of Services, a “Permitted Service Purpose,” and collectively the “Permitted Service Purposes”).

• Customer instructs WhoAI to Process Customer Personal Data for the Permitted Service Purposes (such instruction, Customer’s “Documented Instructions”).

• Customer represents, warrants and covenants that: (i) the Documented Instructions comply with all law; (ii) Customer will comply with its obligations, including obligations as a Data Controller, under applicable law; (iii) Customer has provided all notices, and obtained all consents and rights necessary under law for WhoAI to Process Customer Personal Data and provide the Services as contemplated in the Agreement and herein; Without limiting any payment obligations under the Agreement, Customer will immediately notify WhoAI and cease use of the Services in the event and to the extent any required authorization or legal basis for Processing is revoked or terminated. WhoAI may thereafter suspend Processing and/or provision of the Services and will have no liability for such actions.

• For clarity, Customer acknowledges and agrees that WhoAI does not act as a Data Processor with respect to business contact information (the “Relationship Contact Data”) of Customer’s employees and representatives with whom WhoAI interacts for purposes of managing or communicating about WhoAI services generally. With respect to Relationship Contact Data, the Parties each act as independent Data Controllers each responsible for their own compliance with their respective obligations under law. No joint controller relationship is established between the Parties.

3. WHOAI OBLIGATIONS

• WhoAI shall not Process Customer Personal Data for any purpose other than the Permitted Service Purposes.

• WhoAI shall not Process Customer Personal Data collected pursuant to the Agreement outside the direct business relationship between WhoAI and Customer unless expressly permitted by law.

• As required by Data Privacy Laws, WhoAI shall not combine Customer Personal Data with personal data that it receives from another source or collects from interactions, in each case on WhoAI’s own behalf, unless permitted by law.

• As required by Data Privacy Laws, WhoAI shall notify Customer if it determines, in its sole discretion, that it is unable to meet its obligations under Data Privacy Laws in such a manner as renders it incapable of providing the Services. WhoAI may thereafter suspend its Processing and/or provision of Services without liability.

• As required by Data Privacy Laws, at Customer’s reasonable request and with at least thirty (30) days advance written notice, WhoAI shall make available to Customer such records and information as is necessary to demonstrate that its use of Customer Personal Data is compliant with this DPA and applicable Data Privacy Laws by providing to Customer, not more than once annually, copies of WhoAI’s most recent privacy and/or security control audits or test reports to the extent available at the time of request.

• As required by Data Privacy Laws, Customer shall have the right to take reasonable and appropriate steps to stop and remediate use of Customer Personal Data by WhoAI that violate this DPA or Data Privacy Laws, solely by notifying WhoAI of the proposed stoppage or remediation. WhoAI shall consider such requests in good faith and inform Customer of its proposed response, which may include no action in its discretion. WhoAI may rely upon but will have no liability for following any such proposals of Customer.

• As required by Data Privacy Laws, WhoAI shall provide reasonable cooperation to Customer to respond to data subject rights requests under Data Privacy Laws and/or WhoAI shall provide tools as part of its services that permits Customer to manage such requests itself. In the event that WhoAI receives a data subject rights request which it identifies as relating to Customer, WhoAI shall promptly inform Customer of the same, including via email. WhoAI may respond to such data subject rights request as required of it by law, to acknowledge receipt, and/or to direct the request to Customer.

• WhoAI shall comply with all applicable requirements under Data Privacy Laws, including, where relevant, to provide the same level of privacy protection to Customer Personal Data as Customer is required to provide such data under Data Privacy Laws, by adhering to the standards set forth above and any additional standards agreed upon between the Parties in writing.

• To the extent required by applicable Data Privacy Laws, WhoAI shall implement reasonable information security procedures and practices appropriate to the nature of the Customer Personal Data to protect the same from unauthorized or illegal access, destruction, use, modification, or disclosure, or any Security Incident. Notwithstanding the foregoing, Customer acknowledges that it has been afforded an opportunity to conduct its own diligence review of WhoAI’s information security procedures and concluded that the same are adequate.

• As required by Data Privacy Laws, with respect to its Processing of Customer Personal Data, WhoAI shall not Sell or Share the Customer Personal Data.

• WhoAI shall ensure all employees, contractors, or other internal staff Processing Customer Personal Data are subject to a duty of confidentiality with respect to such data.

3. SUBPROCESSING

• Customer agrees that WhoAI may share Customer Personal Data with the Subprocessors listed at the following link: [______] (“Subprocessor List”), which may be updated from time to time, for the Permitted Service Purposes.

• Customer agrees that WhoAI can share Customer Personal Data with Subprocessors in addition to those in the Subprocessor List. WhoAI shall provide Customer an opportunity to object to such additional Subprocessors by providing prior notice of such proposed additional Subprocessor to the Customer. Such notice may be provided by WhoAI updating its Subprocessors List, or by other reasonable means (such as email notice).

• WhoAI shall enter into written contracts with its Subprocessors. Such contracts are designed to ensure WhoAI’s continued ability to meet its obligations under this DPA. WhoAI shall remain liable for the acts or omissions of its Subprocessors which cause WhoAI to violate any terms of this DPA, subject to agreed limitations of liability under the Agreement.

4. RETENTION

At the choice of Customer, WhoAI shall delete or return Customer Personal Data to Customer as requested at the end of the Agreement, unless WhoAI is permitted by law to further retain such data.

5. LIMITATION OF LIABILITY

• WHOAI WILL NOT BE LIABLE IN CONNECTION WITH THIS DPA OR UNDER ANY LEGAL THEORY (WHETHER IN CONTRACT, TORT OR OTHERWISE) FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES, OR FOR ANY LOSS OR CORRUPTION OF DATA, REVENUES OR PROFITS, EVEN IF WHOAI KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING ANY OTHER TERM OR AGREEMENT BETWEEN THE PARTIES, WHOAI’S TOTAL AGGREGATE LIABILITY UNDER THIS DPA OR ITS SUBJECT MATTER WILL NOT EXCEED THE AMOUNT PAID OR PAYABLE BY CUSTOMER TO WHOAI DURING THE SIX (6) MONTH PERIOD PRIOR TO THE FIRST EVENT GIVING RISE TO SUCH LIABILITY.

• Costs and expenses for which Customer is responsible under this DPA shall not be subject to any limitation of liability clause otherwise agreed between the parties, including within the Agreement.

6. INDEMNITY

Customer will indemnify, defend, and hold harmless WhoAI and its affiliates from any claims, actions, suits, demands, losses, liabilities, damages, costs and expenses (including attorney’s fees) arising from or in connection with: (i) breaches of this DPA by Customer or its agents; (ii) acts or omissions of Customer or its agents or its or their employees, affiliates, customers, or contractors relating to the Services; (iii) the Processing of Customer Personal Data by Customer or its agents; (iv) the Customer’s Processing instructions to WhoAI and WhoAI’s acts or omissions in accordance therewith; and (v) Customer’s breach of any laws or regulations (including but not limited to Data Privacy Laws). WhoAI may upon written notice assume the control of any defense under this provision. Customer will fully cooperate thereafter, at its sole expense, with WhoAI upon request with respect to such defense.

7. MISCELLANEOUS PROVISIONS

• Severability. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be construed in a manner as if the invalid or unenforceable part had never been contained therein.

• Construal. In interpreting the provisions of this DPA, no adverse inference shall be drawn against a Party by reason of that Party being a drafting party of this DPA. Headings herein are for convenience only.

‍