The Data Protection Addendum (hereafter "Addendum" or "DPA") is incorporated by reference to the relevant services agreement or principal agreement for the provision of products and/or services (hereafter referred to generically as "Principal Agreement") between: (i) Chorke, Inc. (hereafter "Chorke Academia") acting on its own behalf and as agent for each Chorke Academia Affiliate and/or Subsidiary; and (ii) Customer as described in the relevant ordering document acting on its own behalf and as agent for each Customer Affiliate.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set forth herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum. In the event of any conflict or inconsistency between any of the terms of the Principal Agreement and this addendum (including Standard Contractual Clauses where applicable) the provisions of the following documents in order of preference shall prevail: (1) the Standard Contractual Clauses also referred to as model clauses, (2) this DPA, (3) the Principal Agreement. Except as amended by this DPA or the relevant Standard Contractual Clauses (where applicable) the Principal Agreement and applicable ordering document remain unchanged and in full force and effect.
"Applicable Laws" means (a) European Union or member State laws with respect to any Customer Personal Data in respect of which any Customer is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer Personal Data in respect of which any Customer is subject to any other Data Protection Laws;
"Customer Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
"Customer Data" means all data, including text, graphics, logos, tools, software or source code that are provided to Chorke Academia or as described in the Principal Agreement, that are provided to Chorke Academia through Customer's use of Chorke Academia products and services;
"Data Processor" means Chorke Academia or a Sub-processor;
"Data Protection Laws and Regulations" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
"GDPR" means the EU General Data Protection regulation 2016/679;
"Privacy Shield" means the U.S. Department of Commerce EU - US and Swiss - US Privacy Shield Framework requirements as set out at the following URL: https://www.privacyshield.gov/welcome or any replacement framework or URL from time to time.
"Services" means the services and other activities to be supplied to or carried out by or on behalf of Chorke Academia for Customer pursuant to the Principal Agreement;
"Chorke Academia Affiliate" means an entity that owns or controls, is owned or controlled by or is under common control or ownership with Chorke Academia, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
"Standard Contractual Clauses" also referred to as "model clauses" means all Controller to Processor contractual transfer mechanisms, but does not include Privacy Shield certification as transfer mechanism;
"Sub-processor" means any person (including any third party, but excluding an employee of Chorke Academia or any of its subcontractors) appointed by or on behalf of Chorke Academia or any Chorke Academia Affiliate to Process Personal Data on behalf of Customer in connection with the Principal Agreement.
The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", "Processor" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
The parties agree with regard to the Processing of Customer Data (other than for account registration purposes) that Customer is the Controller, Chorke Academia is the Processor and Chorke Academia shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data. Chorke Academia will not disclose Customer Data to a third-party except as Customer directs or unless required by law. Should a third-party contact Chorke Academia with a demand for Customer Data, Chorke Academia shall initially redirect such request for Customer Data directly to Customer (including subject access requests pursuant to GDPR so Customer may fulfill its Controller obligations under the GDPR). Chorke Academia will not independently respond to requests from Customer's end users without Customer's prior written instructions (except to confirm receipt of such request). If authorized to disclose by Customer in the performance of its Controller obligations, Chorke Academia will work with Customer to fulfill its obligations. If compelled to disclose Customer Data by lawful order Chorke Academia shall use commercially reasonable efforts to notify Customer in advance of such disclosure, unless prohibited from doing so by law.
Annex 1 to this Addendum sets out certain information regarding Chorke Academia's Processing of the Customer Personal Data as required by Article 28(3) of the GDPR. The subject-matter of Processing of Personal Data by Chorke Academia is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects covered under this DPA are further specified in Annex 1 to this DPA or by the Principal Agreement.
As part of providing the Services, Chorke Academia may transfer, store and process Customer Personal Data in the United States or other country in which Chorke Academia maintains facilities pursuant to the Privacy Shield Framework. During the Term of Principal Agreement, Chorke Academia shall remain enrolled and certified in the Privacy Shield Framework or will adopt an alternative GDPR compliant transfer mechanism to achieve the terms of the lawful transfer of Personal Data under the GDPR.
Alternatively, and in some cases as a subordinate supplement to Privacy Shield transfer mechanisms described above, Customer (as "data exporter") and each Contracted Processor, as appropriate (as "data importer") may enter into the Standard Contractual Clauses in respect of any Data Transfer required to carry out the Services. The Standard Contractual Clauses shall come into effect on the later of:
Chorke Academia personnel will not process Personal Data without authorization and ensure access to such Personal Data restricted to those individuals who need to know / access the relevant Personal Data, as necessary for the purpose of the Principal Agreement, and to comply with applicable laws and the GDPR privacy principles.
Chorke Academia shall ensure that its personnel and any Sub-processors engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are bound by a duty of confidentiality no less stringent than that contained within the Principal Agreement.
Chorke Academia shall maintain appropriate technical and organizational measures for protection of the security, confidentiality, and integrity of Customer Data as set forth in Article 32(1) of the GDPR.
Chorke Academia shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer's obligation under the GDPR to carry out a data protection impact assessment, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of any Customer by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Chorke Academia shall, pursuant to Controller's written instructions, return Customer Data to Customer and / or, to the extent allowed by Applicable Law, delete Customer Data in a reasonable time after cessation of any services involving the processing of Customer Personal Data, at the choice of the Customer.
Each Contracted Processor may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws.
Chorke Academia has appointed a privacy officer and the appointed person may be reached at legal
Chorke Academia may engage other companies and third parties as Sub-processors to provide limited services on its behalf, such as providing customer support and Customer authorizes Chorke Academia to appoint and retain such Sub-processors. Any Sub-processors to whom Chorke Academia transfers Customer Data will have entered into written agreements with Chorke Academia requiring that the Sub-processor will have entered into written agreements with Chorke Academia requiring at least the same level of data security protections to be in place as is required by the GDPR.
Chorke Academia may continue to use those Sub-processors already engaged by Chorke Academia or any Affiliate as at the date of this Addendum and available for review on request.
Customer acknowledges and expressly agrees that Chorke Academia may engage third party Sub-processors in connection with the provision of the Services. Chorke Academia shall be liable for the acts and omissions of its Sub-processor to the same extent it would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth herein. Chorke Academia has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by each Sub-processor. Chorke Academia shall make available to Customer its current list of Sub-processors including their name and country of location and will provide notification of a new Sub-processor before authorizing any new Sub-processor to Process Personal Data in connection with the provision of applicable Services.
Customer may object in writing within ten (10) business days after receipt of Chorke Academia's use of a new Sub-processor. In the event Customer objects to a new Sub-processor, Chorke Academia will make reasonable efforts to make an alternative Sub-processor available to the Customer or recommend a commercially reasonable change to Customer's configuration or use of Services to avoid the processing of Personal Data by the objected to Sub-processor without unreasonably burdening Customer. If Chorke Academia is unable to make available such change within a reasonable amount of time, which shall not exceed thirty (30) days, Customer may terminate any applicable order form with respect only to those Services which cannot be provided by Chorke Academia without the use of the objected-to new Sub-processor and will be refunded any prepaid fees covering the remainder of Term of such order forms.
Chorke Academia shall be liable for the acts and omissions of its Sub-processors to the same extent Chorke Academia would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Principal Agreement.
Taking into account the nature of the Processing, Chorke Academia shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation, as reasonably understood by Chorke Academia, to respond to a Data Subject Request under Data Protection Laws.
Chorke Academia shall, to the extent legally permitted, promptly notify Customer if Chorke Academia receives a request from a Data Subject under any Data Protection Law (including, but not limited to right of access, right to rectification, restriction of Processing, right to be forgotten, data portability, object to processing, or right not to be subject to an automated individual decision making) in respect of Customer Personal Data.
Chorke Academia shall notify Customer without undue delay upon Chorke Academia or any Sub-processor becoming aware of a Personal Data Breach affecting Customer Personal Data. Chorke Academia will provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws and any other Applicable Laws. Such notification shall as a minimum describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; communicate the name and contact details of Chorke Academia's Data Protection Officer or other relevant contact from whom more information may be obtained; described the likely consequences of the Personal Data Breach; and describe the measures taken or proposed to be taken to address the Personal Data Breach.
Chorke Academia shall make reasonable efforts to identify the cause of a Personal Data Breach and take necessary and reasonable steps in order to remediate the cause of the Personal Data Breach to the extent the remediation is within Chorke Academia's reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer's Users.
Chorke Academia shall make available to Customer on request all information necessary to demonstrate compliance with this Addendum, and shall allow for audits including inspections, by Customer, or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors. Information and audit rights of the Customer only arise to the extent that the Principal Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
Customer may contact Chorke Academia to request an on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Before the commencement of any such on-site audit, Customer and Chorke Academia shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be borne by Customer and reasonable, taking into account the resources expended by Chorke Academia. Customer shall promptly notify Chorke Academia with information regarding any non-compliance discovered during the course of an audit.
Customer must give Chorke Academia a reasonable notice and shall make reasonable endeavours to avoid causing any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purpose of such audit or inspection:
Customer shall at its sole expense, defend, indemnify, and hold harmless, Chorke Academia, its directors, officers, employees, affiliates, successors and assigns from and against any and all damages, losses, costs, and expenses (including any reasonable attorney's fees and expenses), which Customer pays to third parties in connection with any claim, suit, action, or proceeding brought against Chorke Academia, and in each case to the extent arising out of any breach by Customer of this DPA.
The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity. This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by laws of the country or territory stipulated for this purpose in the Principal Agreement.
In the event Customer requires modification of any data processing or transfer mechanism, Chorke Academia requires at least 30 (thirty) calendar days' written notice to Chorke Academia from time to time make any variations to the Standard Contractual Clauses, as they apply to Data Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Data Transfers to be made (or continue to be made) without breach of that Data Protection Law; and propose any other variation to this Addendum which Customer reasonably considers to be necessary to address the requirements of any Data Protection Law.
If Customer gives notice that amendment or modification of any data processing or transfer mechanism is required, Chorke Academia shall promptly co-operate (and ensure that any affected Sub-processors promptly co-operate) to ensure that equivalent variations are made to any agreement.
Customer shall not unreasonably withhold or delay agreement to any consequential variation to this Addendum proposed by Chorke Academia to protect the Contracted Processors against additional risks associated with the variations made herein. If Customer gives notice as required herein, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer's notice as soon as is reasonably practicable.
Should any provision of this Addendum be invalid or unenforceable, the the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amend as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) constructed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Principal Agreement for duration of Principal Agreement Term.
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Principal Agreement and this Addendum.
Chorke Academia will Process Personal Data as necessary to perform the Services as detailed on the applicable ordering document pursuant to the Principal Agreement between the Parties and as further instructed by Customer in its use of the Services.
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which depending on the product may include, but is not limited to
Talent:
Advertisement:
Teams/Enterprise:
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer as Controller, and which includes, but is not limited to Personal Data relating to the following categories of data subjects:
The obligations and rights of Chorke Academia and Chorke Academia Affiliates are set out in the Principal Agreement and this Addendum.