Clockwork Recruiting - Data Processing Agreement

This Clockwork Data Processing Agreement (“DPA”) is entered into and made effective as of the date of Customer’s agreement to the Clockwork Terms of Service (the “Effective Date”). This DPA is made, by and between Clockwork, Inc. (“Provider”) and the customer that has entered into the Terms of Service with Provider (“Customer”).

Provider:
Clockwork, Inc.

Entity type / incorporated in:
Delaware corporation

Address:
4357 Cedarhurst Circle, Los Angeles, CA 90027

Contact for data protection inquiries:
privacy@clockworkrecruiting.com

Each of Customer and Provider may be referred to herein as a "party" and together as the "parties".

HOW TO EXECUTE THIS DPA:
This DPA is incorporated into the Terms of Service. Collectively, the DPA (including the SCCs or IDTA, as defined herein) and the Terms of Service are referred to in this DPA as the “Terms of Service”. In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs or IDTA; (b) this DPA; and (c) the Terms of Service. Except as specifically amended in this DPA, the Terms of Service remain unchanged and in full force and effect.

1. Introduction
This DPA applies to Provider’s Processing of Personal Data under the Terms of Service executed between Provider and Customer (each an “Agreement”) for Provider’s provision of the Clockwork Services (collectively, the “Services”).

Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Affiliates. Provider enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Provider” shall include Provider and its Affiliates.

2. Definitions
Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.

a. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity.

b. “Applicable Data Protection Laws” means, with respect to a party, all privacy, data protection, breach notification, and information security-related laws and regulations applicable to such party’s Processing of Personal Data.

c. “Customer Data” means Personal Data provided by Customer or that Clockwork collects on behalf of Customer under the Agreement.

d. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

e. “Personal Data” means “personal data”, “personal information”, “personally identifiable information”, or similar information defined in and governed by Applicable Data Protection Laws.

f. “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

g. “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data being Processed by Provider. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

h. “Subprocessor” means any third-party authorized by Provider to Process any Customer Data.

i. “Usage Data” means aggregate and other usage data that is not Customer Data, payment records, credit cards, or other information Customer uses to pay Provider, or other information and records related to Customer’s account, including without limitation identifying information related to Customer staff involved in payment or other management of such account.

3. General; Termination

a. This DPA forms part of the Agreement, and except as expressly set forth in this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will govern.

b. Any liabilities arising under this DPA are subject to the limitations of liability in the Agreement.

c. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

d. The provisions of this DPA shall survive the termination or expiration of the Agreement as long as Provider continues to Process Customer Data in connection with the Agreement.

4. Relationship of the Parties

a. Provider as Processor. The parties acknowledge and agree that with regard to the Processing of Customer Data, Customer may act as a controller and Provider is a processor. Provider will Process Customer Data in accordance with Customer’s instructions as outlined in Section 6 (Role and Scope of Processing).

b. Provider as Controller. To the extent that any Usage Data is considered Personal Data, Provider is the controller with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at https://www.clockworkrecruiting.com/privacy-policy.

5. Compliance with Law. Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Customer Data and Usage Data.

6. Role and Scope of the Processing

a. Customer Instructions. Provider will Process Customer Data only in accordance with Customer’s instructions. By entering into the Agreement, Customer instructs Provider to Process Customer Data to provide the Services and pursuant to any other written instructions given by Customer and acknowledged in writing by Provider as constituting instructions for purposes of this DPA. Customer acknowledges and agrees that such instruction authorizes Provider to Process Customer Data (a) to perform its obligations and exercise its rights under the Agreement; and (b) to perform its legal obligations and to establish, exercise, or defend legal claims in respect of the Agreement.

7. Subprocessing
a. Customer specifically authorizes Provider to use its Affiliates as Subprocessors, and generally authorizes Provider to engage Subprocessors to Process Customer Data. In such instances, Provider:

(i) will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this DPA; and

(ii) remains liable for compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Provider to breach any of its obligations under this DPA.

b. A list of Provider’s Subprocessors, including their functions and locations, is available at https://www.clockworkrecruiting.com/subprocessor-list (“Subprocessor Page”), and may be updated by Provider from time to time in accordance with this DPA.

c. When any new or replacement Subprocessor is engaged, Provider will notify Customer of the engagement, which notice may be given by updating the Subprocessor Page and via the notification mechanism on the Subprocessor Page. Provider will give such notice at least ten (10) calendar days before the new or replacement Subprocessor Processes any Customer Data, except that if Provider reasonably believes engaging a new or replacement Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity, or availability of the Customer Data or avoid material disruption to the Services, Provider will give such notice as soon as reasonably practicable. If, within ten (10) calendar days after such notice, Customer notifies Provider in writing that Customer objects to Provider’s appointment of a new or replacement Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If Processor is reasonably able to provide the Services to the Customer in accordance with an Agreement without using the Subprocessor and decides in its discretion to do so, then the Customer will have no further rights under this Section 7.c in respect of the proposed use of the Subprocessor. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement only in relation to the Services to which the proposed new Subprocessor’s processing of Customer Data relates or would relate for convenience with no refunds, and Customer will remain liable to pay any committed fees in a Sales Order or other similar ordering document. If the Customer does not provide a timely objection to any new or replacement Subprocessor in accordance with this Section 7.c, Customer will be deemed to have consented to the Subprocessor and waived its right to object. Processor may use a new or replacement Subprocessor whilst the objection procedure in this Section 7.c is in process.

8. Security

a. Security Measures. Provider will implement and maintain technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with Provider’s security standards referenced in the Agreement and/or on Schedule 2 (“Security Measures”).

b. Customer Responsibility.

(i) Customer is responsible for reviewing the information made available by Provider relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Security Measures may be updated from time to time to reflect process improvements or changing practices (but the modifications will not materially decrease Provider’s obligations as compared to those reflected in such terms as of the Effective Date).

(ii) Customer agrees that, without limitation of Provider’s obligations under this Section 8, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems, and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that it uses with the Services; and (d) maintaining its own backups of Customer Data.

c. Security Incident. Upon becoming aware of a confirmed Security Incident, Provider will notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Provider’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notices will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps Provider recommends Customer take to address the Security Incident. Without prejudice to Provider’s obligations under this Section 8.c, Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents. Provider’s notification of or response to a Security Incident under this Section 8.c will not be construed as an acknowledgement by Provider of any fault or liability with respect to the Security Incident.

9. Audits and Reviews of Compliance. The parties acknowledge that Customer must be able to assess Provider’s compliance with its obligations under Applicable Data Protection Law and this DPA, insofar as Provider is acting as a processor on behalf of Customer.

a. Provider’s Audit Program. Provider uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Data. Such audits are performed at least once annually at Provider’s expense by independent third-party security professionals at Provider’s selection and result in the generation of a confidential audit report (“Audit Report”).

b. Customer Audit. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Provider will make available to Customer a copy of Provider’s most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Laws will be satisfied by these Audit Reports. To the extent that Provider’s provision of an Audit Report does not provide reasonably sufficient information for Customer to verify Provider’s compliance with this DPA or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with Provider that: (a) ensures the use of an independent third-party; (b) provides notice to Provider in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at Provider’s then-current rates; (e) occurs no more than once annually; (f) restricts findings to only Customer Data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.

10. Impact Assessments and Consultations. Provider will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require Provider to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Laws.

11. Data Subject Requests. Provider will upon Customer’s request (and at Customer’s expense) provide Customer with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability, and objection) in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If Provider receives a request from a Data Subject in relation to their Customer Data, Provider will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.

12. Return or Deletion of Customer Data

a. Provider will, within sixty (60) days after request by Customer, delete all Customer Data from Provider’s systems.

b. Notwithstanding the foregoing, Customer understands that Provider may retain Customer Data if required by law or if such data exists within backups where it is put beyond practicable use and deleted in accordance with Provider’s separate retention timeframes for archival media, and such data will remain subject to the requirements of this DPA.

13. International Provisions
a. Processing in the United States. Customer acknowledges that, as of the Effective Date, Provider’s primary processing facilities are in the United States.

b. Jurisdiction Specific Terms. To the extent that Provider Processes Customer Data originating from and protected by Applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.

c. Cross Border Data Transfer Mechanism. To the extent that Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area (“EEA”), the United Kingdom (“UK”), Switzerland, or any other jurisdiction listed in Schedule 3) to Provider located outside of that jurisdiction (a “Transfer Mechanism”), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.

SCHEDULE 1
SUBJECT MATTER & DETAILS OF PROCESSING

1. Nature and Purpose of the Processing. Provider will process Personal Data as necessary to provide the Services under the Agreement. Provider does not sell Customer Data (or end user information within such Customer Data) and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.

a. Customer Data. Provider will process Customer Data as a processor in accordance with Customer’s instructions as outlined in Section 6.a (Customer Instructions) of this DPA.

b. Usage Data. Provider will process Usage Data as a controller for the purposes outlined in Section 4.b (Provider as Controller) of this DPA.

2. Processing Activities.

a. Customer Data. Customer Data will be subject to the following basic processing activities: the provision of Services that allow for Customers to manage its executive search and recruiting workflows.

b. Usage Data. Personal Data contained in Usage Data will be subject to the following processing activities by Provider: Provider may use Usage Data to operate, improve, and support the Services and for other lawful business practices, such as analytics, benchmarking, and reporting.

3. Duration of the Processing. The period for which Personal Data will be retained and the criteria used to determine that period is as follows:

a. Customer Data. Prior to the termination of the Agreement, Provider will process stored Customer Data for the purpose of providing the Services until Customer elects to delete such Customer Data via the Provider Services or as set forth in Section 12 (Return or Deletion of Customer Data) above.

b. Usage Data. Upon termination of the Agreement, Provider may retain, use, and disclose Usage Data for the purposes set forth above in Section 2.b (Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. Provider will anonymize or delete Personal Data contained within Usage Data when Provider no longer requires it for the purpose set forth in Section 2.b (Usage Data) of this Schedule 1.

4. Categories of Data Subjects.

a. Customer Data. Customer Data that is uploaded by Customer’s end users with access to a Provider account and executive search profiles.

b. Usage Data: Customer’s internal end users with access to a Provider account.

5. Categories of Personal Data.

a. Customer Data. The categories of Customer Data are such categories as Customer is authorized to ingest into the Services under the Agreement.

b. Usage Data. Provider processes Personal Data within Usage Data.

6. Sensitive Data or Special Categories of Data.

a. Customer Data. Customers shall not submit sensitive data or special categories of data in Customer Data.

b. Usage Data. Sensitive Data is not contained in Usage Data.

SCHEDULE 2
TECHNICAL & ORGANIZATIONAL SECURITY MEASURES

Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses or IDTA. The following provides more information regarding Provider’s technical and organizational security measures set forth below. If you have any questions about security on our website, you can contact us at privacy@clockworkrecruiting.com.

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Please see: https://support.clockworkrecruiting.com/article/296-clockwork-recruiting-security-information and our Audit Report provided on request.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

See above

SCHEDULE 3
CROSS BORDER DATA TRANSFER MECHANISM

1. Definitions

a. “Standard Contractual Clauses” means the 2021 Standard Contractual Clauses approved by the European Commission in decision 2021/914.

b. “UK IDTA” means the UK international data transfer addendum.

2. UK IDTA. For data transfers from the United Kingdom, the UK IDTA will be deemed entered into (and incorporated into this DPA by reference) together with the Standard Contractual Clauses as set forth in Section 3 of this Schedule 3 below.

3. The Standard Contractual Clauses. For data transfers from the European Economic Area, the UK, and Switzerland that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will apply in the following manner:

a. Module One (Controller to Controller) will apply where Customer is a controller of Usage Data and Provider is a controller of Usage Data.

b. Module Two (Controller to Processor) will apply where Customer is a controller of Customer Data and Provider is a processor of Customer Data.

c. For each Module, where applicable:

(i) in Clause 7, the option docking clause will not apply;

(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 7 (Subprocessing) of this DPA;

(iii) in Clause 11, the optional language will not apply;

(iv) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law.

(v) in Clause 18(b), disputes will be resolved before the courts of Ireland;

(vi) In Annex I, Part A:

Data Exporter: Customer and authorized Affiliates of Customer.

Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.

Data Exporter Role: The Data Exporter’s role is outlined in Section 4 (Relationship of the Parties) of this DPA.

Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses or IDTA incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Data Importer: Provider and authorized Affiliates of Provider.

Contact Details: Provider Privacy Team – privacy@clockworkrecruiting.com

Data Importer Role: The Data Importer’s role is outlined in Section 4 (Relationship of the Parties) of this DPA.

Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses or IDTA, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

(vii) In Annex I, Part B:

The categories of data subjects are described in Schedule 1, Section 4.

The sensitive data transferred is described in Schedule 1, Section 6.

The frequency of the transfer is a continuous basis for the duration of the Agreement.

The nature of the processing is described in Schedule 1, Section 1.

The purpose of the processing is described in Schedule 1, Section 1.

The period of the processing is described in Schedule 1, Section 3.

For transfers to sub-processors, the subject matter, and nature of the processing is outlined at https://www.clockworkrecruiting.com/subprocessor-list. The duration of the processing is the term of the relevant subprocessor contract.

(viii) In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority.

(ix) Schedule 2 serves as Annex II of the Standard Contractual Clauses.

4. As to the specific modules, the parties agree that the following modules apply, as the circumstances of the transfer may apply:

Controller-Controller - Module One, when Provider is acting as a Controller as to Usage Data.

Controller-Processor - Module Two, when Provider is acting as a Processor as to Customer Data.

5. To the extent there is any conflict between the Standard Contractual Clauses or the UK IDTA and any other terms in this DPA, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the Standard Contractual Clauses or UK IDTA will prevail.

SCHEDULE 4
JURISDICTION SPECIFIC TERMS

1. California

a. The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq (“CCPA”).

b. The terms “business”, “commercial purpose”, “service provider”, “sell”, and “personal information” have the meanings given in the CCPA.

c. With respect to Customer Data, Provider is a service provider under the CCPA.

d. Provider will not (a) sell Customer Data; (b) retain, use, or disclose any Customer Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the Customer Data for a commercial purpose other than providing the Services; or (c) retain, use, or disclose the Customer Data outside of the direct business relationship between Provider and Customer.

e. The parties acknowledge and agree that the Processing of Customer Data authorized by Customer’s instructions described in Section 6 of this DPA is integral to and encompassed by Provider’s provision of the Services and the direct business relationship between the parties.

f. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that Provider’s access to Customer Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

g. To the extent that any Usage Data (as defined in the Agreement) is considered Personal Data, Provider is the business with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at https://www.clockworkrecruiting.com/privacy-policy.

2. EEA

a. The definition of “Applicable Data Protection Laws” includes the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”).

b. When Provider engages a Subprocessor under Section 7 (Subprocessing), it will:

(i) require any appointed Subprocessor to protect Customer Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

(ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

c. GDPR Penalties. Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

3. Switzerland

a. The definition of “Applicable Data Protection Laws” includes the Swiss Federal Act on Data Protection.

b. When Provider engages a Subprocessor under Section 7 (Subprocessing), it will

4. United Kingdom

a. References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

b. When Provider engages a Subprocessor under Section 7 (Subprocessing), it will:

Data Processing Agreement

Useful Links

Get In Touch