Data Processing Agreement
This Data Processing Agreement (“DPA”) supplements any online or other terms of service, privacy policy, or written agreement (collectively the “Agreement”) between Libre LLC, DBA Hire Bloom (“Company”) and the entity that entered into the Agreement with Company (“Client”), each on behalf of themselves and their Affiliates (together, the “Parties”). This DPA governs the processing of any Personal Data that may be accessible to Client or Company and is effective as of the Agreement’s effective date (“Effective Date”).
1. PRECEDENCE; SURVIVAL
Terms not defined in this DPA or in applicable Data Protection Laws, have the meaning assigned to them in the Agreement. In the event of any conflict or inconsistency, this DPA supersedes and prevails over any conflicting terms in the Agreement. The provisions of this DPA survive any termination of the Agreement to the extent necessary.
2. DEFINITIONS
2.1. “Affiliate” means an entity that now or hereafter controls, is controlled by or is under common control with a specified entity, where “control” means beneficial ownership, directly or indirectly, of more than fifty percent (50%) of the outstanding shares or other ownership interest (representing the right to vote for the election of directors or other managing authority or the right to make the decisions for such entity, as applicable) of an entity. Such entity is deemed to be an Affiliate only so long as such control exists.
2.2. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The term “Controller” also includes the definition for a “business” under the CCPA and any similar designation under U.S. Privacy Laws and any other applicable data privacy and protection law.
2.3. “Anonymized Data” means a compilation of data which does not relate to an identified or identifiable individual or to Personal Data or data rendered anonymous in such a manner that the individual is not or no longer identifiable.
2.4. “Data Protection Laws” means all applicable legislation relating to data protection and privacy including, without limitation, the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR and the UK GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, and U.S. Privacy Laws, all as amended, repealed, consolidated or replaced from time to time.
2.5. “Data Subject” means the individual to whom Personal Data relates.
2.6. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
2.7. “Personal Data” means any information relating to an identified or identifiable individual where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws.
2.8. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored, or otherwise Processed.
2.9. “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data.
2.10. “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of a Controller. The term “Processor” also includes the definition for a “service provider” under the CCPA and any similar designation under the U.S. Privacy Laws and any other applicable data privacy and protection law.
2.11. “Sensitive Data” means a class of Personal Data including but not limited to (a) social security number, passport number, driver’s license number, or similar identifier, (b) credit or debit card number (other than truncated digits), financial information, banking account numbers or passwords, (c) employment, financial, genetic, biometric or health information, (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation, (e) account passwords, (f) criminal history, or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable Data Protection Laws. Company will not Process or transfer any Sensitive Data unless specifically instructed by Client; provided, however, that any transfer or request by Client for Company to Process Sensitive Data constitutes Client’s assent for Company to Process Sensitive Data.
2.12. “Services” means the services provided by Company to Client pursuant to the Agreement.
2.13. “Standard Contractual Clauses” means Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2.14. “Subprocessor” means a natural or legal person, public authority, agency, or other body engaged by a Processor who has or may potentially have access to Personal Data, or processes Personal Data.
2.15. “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
2.16. “UK Transfer Addendum” means the addendum pursuant to the International Commissioner's Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.
2.17. “U.S. Privacy Laws” means collectively the California Consumer Privacy Act, or its successor the California Privacy Rights Act (collectively the “CCPA”); the Colorado Privacy Act, (“CPA”); the Connecticut Data Privacy Act (“CTDPA”); the Utah Consumer Privacy Act (“UCPA”); the Virginia Consumer Data Protection Act, (“VCDPA”), and any other applicable data privacy and protection law within the United States.
3. DETAILS OF PROCESSING
3.1. Classification of the Parties. To the extent that Company Processes Personal Data, Company is deemed a Processor. For the purposes of this DPA and the Agreement, Client is deemed a Controller; provided, however, that Company and Client may act as joint Controllers of some Personal Data related to its provision of the Services.
3.2. Categories of Data Subjects. Client may submit, transfer, or grant access to, Personal Data to Company, or direct Company to Process Personal Data as part of the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Data Subjects including Client’s employees, contractors, collaborators, customers, prospects, suppliers, agents, and subcontractors.
3.3. Categories of Personal Data. Personal Data, the extent of which is determined and controlled by Client in its sole discretion, including but not limited to name, address, phone number, email address and associated email data, navigational data (including website usage information), system usage data, and other electronic data submitted, stored, sent, or received by Client, or the Client’s end users, including where applicable Sensitive Data.
3.4. Sensitive Data. The Parties do not anticipate the transfer of Sensitive Data.
3.5. Frequency of Transfer. Company will Process Personal Data on a continuous basis for the duration of the Agreement, subject to limiting provisions in this DPA.
3.6. Purpose of the Processing. Company will Process Personal Data for purposes of providing the Services, as further instructed by Client in its use of the Services, and otherwise agreed to in the Agreement.
3.7. Retention. Company will Process Personal Data for the duration of the Agreement, subject to other limited provisions of this DPA.
4. CLIENT RESPONSIBILITY
Within the scope of the Agreement and in its use of Company’s Services, Client is solely responsible for complying with the statutory requirements relating to the Data Protection Laws, in particular regarding the disclosure and transfer of Personal Data to Company and the Processing of Personal Data. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data must comply with Data Protection Laws. This DPA and the Agreement constitute Client’s complete and final instruction to Processor in relation to Personal Data and that additional instructions outside the scope of this DPA or the Agreement would require prior written agreement between the Parties. Instructions must initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified, or replaced by Client in separate written instructions (as individual instructions).
Client shall obtain all necessary consents from its customers for Company to Process Personal Data in accordance with the Agreement and Company’s privacy policy. Client shall inform Company, in writing, without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data, including if Client’s instructions or transfer of Personal Data to Company violate Data Protection Laws.
5. GENERAL COMPANY OBLIGATIONS
5.1. Compliance with Instructions. The Parties acknowledge that Client is primarily the Controller of Personal Data and Company is the Processor of Personal Data. To the extent Company is a Processor, Company shall Process Personal Data only within the scope of Client’s instructions. If Company believes that an instruction of Client violates Data Protection Laws, it will immediately inform Client without delay. If Company cannot process Personal Data in accordance with the instructions due to a legal requirement under any applicable Data Protection Laws, Company will (i) promptly notify Client of that legal requirement before the relevant Processing to the extent permitted by Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Client issues new instructions with which Company is able to comply. If this provision is invoked, Company will not be liable to Client under the Agreement for any failure to perform the applicable services until such time as Client issues new instructions regarding the Processing.
5.2. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is available to Company and Client does not otherwise have access to the required information, Company will provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which Client reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any Data Protection Laws, in each case solely in relation to the processing of Personal Data.
5.3. Data Subject Requests. Company will provide reasonable assistance to Client in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws. If such request is made directly to Company, Company will promptly inform Client and will advise Data Subjects to submit their request to Client. Client is solely responsible for responding to any Data Subjects’ requests.
5.4. Confidentiality. Company will keep Personal Data strictly confidential and ensure that any employees, Subprocessors, or other agents who have access to Personal Data (1) are informed of and subject to this strict duty of confidentiality; (2) access and Process only such Personal Data as is strictly necessary to perform Company’s obligations under the Agreement; and (3) not permit any person to Process Personal Data who is not subject to the foregoing duties.
5.5. Security. Company will at all times take reasonable measures to ensure that Personal Data to adequately protect Personal Data against Personal Data Breaches. To this end, Company has implemented appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches. These measures are described in Exhibit C attached to this DPA.
When Company becomes aware of a Personal Data Breach, Company will inform Client without any undue delay, and at least within the time required by Data Protection Laws. Company will reasonably cooperate with Client and provide information to fulfil Client’s data breach obligations under Data Protection Laws. Company will also take additional measures and actions, in its sole discretion or as required by Data Protection Laws, that are necessary to remedy or mitigate the effects of the security incident, and keep Client informed of every material development connected with the security incident. Except as required by law, Company will not take action to notify Data Subjects of any security incident.
5.6. U.S. Specific Terms. Company will Process Personal Data pursuant to all applicable U.S. Privacy Laws. Client acknowledges and specifically consents that Company may “share” Personal Data as defined in the CCPA and has obtained consent from its customers for Company to take such action; provided, however, that Company will comply with any Data Subject’s exercise of their right to opt-out of Company’s sharing of Personal Data.
6. AUDITS
Company shall, in accordance with Data Protection Laws and in response to a reasonable written request by Client, make available to Client such information in Company’s possession or control related to Company’s compliance with the obligations of data processors under Data Protection Laws in relation to its Processing of Personal Data.
Client may, upon written request and at least thirty (30) days’ written notice to Company and not more than once per calendar year, during regular business hours and without interrupting Company’s business operations, allow for a mutually agreed upon third-party auditor to conduct an inspection of Company’s business operations solely to determine Company's compliance with this DPA.
Company shall, upon Client’s written request and on at least thirty (30) days’ written notice to Company, provide Client with all information necessary for such audit, to the extent that such information is within Company’s control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
7. SUBPROCESSORS
7.1. Appointment of Subprocessors. Client acknowledges (a) the engagement as Subprocessors of Company’s Affiliates and the third parties listed, if any, on Exhibit D, and (b) that Company and its Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. Company may add to or delete from the list of Subprocessors at any time, and Client’s consent extends to any third parties added thereto. For the avoidance of doubt, the above authorization constitutes Client’s general authorization to the subprocessing by Company for purposes of Clause 9(a), option 2 of the Standard Contractual Clauses.
Where Company engages Subprocessors, Company will enter into a contract with the Subprocessor that imposes on the Subprocessor the same or substantially similar obligations that apply to Company under this DPA. Where the Subprocessor fails to fulfil its data processing obligations, Company remains liable to Client for the performance of such Subprocessors obligations.
Where a Subprocessor is engaged, Client may monitor and inspect the Subprocessor’s activities in accordance with this DPA and Data Protection Laws, including to obtain information from Company, upon written request, on the substance of the contract and the implementation of the data protection obligations under the subprocessing contract, where necessary by inspecting the relevant contract documents.
The provisions of this Section mutually apply if Company engages a Subprocessor in a country outside the European Economic Area (“EEA”) or the United Kingdom (“UK”), not recognized by the European Commission or UK government, respectively, as providing an adequate level of protection for Personal Data. If, in the performance of this DPA, Company transfers any Personal Data to a Subprocessor located outside of the EEA or UK, Company shall, in advance of any such transfer, ensure that a legal mechanism in respect of that Processing is in place.
7.2. Current Processor List and Notification or Objection to New Subprocessors. If Company intends to engage Subprocessors other than the companies listed on the Subprocessors list on Exhibit D, Company will notify Client in writing. Upon receiving such notification, Client may object to any Subprocessors within thirty (30) days after any addition. Such objection must be based on reasonable grounds. If Company and Client are unable to resolve such objection, either Party may terminate the Agreement by providing written notice to the other Party.
8. DATA TRANSFERS
Client acknowledges that, in connection with the performance of the Services under the Agreement, Personal Data will be transferred to Company in the United States and to its Subprocessors. Company may access and perform Processing of Personal Data on a global basis as necessary to provide the Services.
The Standard Contractual Clauses apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the Data Protection Laws). Details of the Standard Contractual Clauses are attached as Exhibit A.
The UK Transfer Addendum applies with respect to Personal Data that is transferred outside the UK, either directly or via onward transfer, to any country not recognized by the International Commissioner’s Office as providing an adequate level of protection for Personal Data (as described in the Data Protection Laws). Details of the UK Transfer Addendum are attached as Exhibit B.
To the extent that Client or Company are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently revoked or held in a court of competent jurisdiction to be invalid, Client and Company shall cooperate in good faith to pursue a suitable alternate mechanism that can lawfully support the transfer.
9. DISPOSITION OF PERSONAL DATA
At Client’s reasonable written request or at termination of the Agreement, whichever is sooner, Company will delete or return to Client all Personal Data, including any Personal Data subcontracted to a third party for Processing, except as required or permitted by applicable law. At that time, with respect to Personal Data that Company is required by applicable law to retain, Company will isolate and protect Personal Data from further Processing, except as required by applicable law. Company will use commercially reasonable efforts to ensure that any Subprocessors who are in possession of Personal Data will also comply with this provision. Company’s obligation under this Section does not apply to Anonymized Data that Company can continue to use for any legal purpose.
10. PARTIES TO THIS DPA
We have adopted this DPA and made it effective through the Agreement into which Client entered. No further execution of the DPA is necessary, including the signature lines for Annex I.A of the Standard Contractual Clauses attached to this DPA. The Agreement incorporates both this DPA and the attached Standard Contractual Clauses, so no further signature of either document is required.
EXHIBIT A
Details of the Standard Contractual Clauses
When applicable, the Parties fully incorporate the Standard Contractual Clauses, including the following options and provisions:
A. APPLICABLE MODULE
Based on the nature of the Services, the module indicated below applies:
X Module One (Controller to Controller) (for the limited circumstances outlined in the DPA)
X Module Two (Controller to Processor)
• Module Three (Processor to Processor)
• Module Four (Processor to Controller)
B. OPTIONS
For each module, where applicable, the Parties agree on the following options:
C. DATA EXPORTER & IMPORTER
Pursuant to Annex I, Part A, the Parties have identified the data exporter and data importer in Section 13 of the DPA.
D. DESCRIPTION OF TRANSFER
Pursuant to Annex I, Part B, the Parties agree that the data transfers are consistent with the descriptions noted in Section 3 of the DPA.
E. COMPETENT SUPERVISORY AUTHORITY
For the purposes of Annex I, Part C of the Standard Contractual Clauses, the country in which the Data Exporter is established, if applicable, shall determine the competent supervisory authority.
F. SECURITY OF PROCESSING
For the purposes of Annex II of the Standard Contractual Clauses, Exhibit C describes the required Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data.
EXHIBIT B
Details of the UK Transfer Addendum
This Exhibit forms part of the DPA and supplements the Standard Contractual Clauses, pursuant to the International Commissioner's Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.
Part 1 is as follows:
Part 2 is as follows:
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
EXHIBIT C
Security Measures
Company utilizes Amazon Web Services (“AWS”) and relies to a great extent on the technical security measures adopted by AWS. In addition to the security measures adopted by AWS, and to the extent data processing activities occur outside the AWS system, Company has implemented the following technical and organizational measures to ensure the security of Personal Data:
1. Unauthorized persons are prevented from gaining physical access to our premises and the rooms where data processing systems are located.
2. Employees are only allowed access to tasks assigned to them.
3. Personnel without access authorization (e.g. office guests) are accompanied all times.
4. We ensure that all computers processing personal data (including computers with remote access) are password protected, both after booting up and when left, even for a short period.
5. We assign individual user passwords for authentication.
6. We only grant system access to our authorized personnel and strictly limit their access to applications required for those personnel to fulfil their specific responsibilities.
7. We regularly review access granted to our critical and high risk tools, ensuring that only those that require access have it.
8. We have implemented a password policy that prohibits the sharing of passwords, outlines procedures to follow after disclosure of a password, and requires that passwords be changed regularly.
9. We ensure that passwords are always stored in encrypted form.
10. We have adopted procedures to deactivate user accounts when an employee, agent, or administrator leaves the company or moves to another responsibility within the company.
11. We prevent the installation and use of unauthorized hardware and software in our premises.
12. We have established rules for the safe and permanent destruction of data that are no longer required.
13. Except as necessary for the provision of the Services, Client Data cannot be read, copied, modified or removed without authorization during transfer or storage.
14. We encrypt data during any transmission.
15. We are able to retrospectively examine and establish whether and by whom Client Data has been entered into data processing systems, modified or removed.
16. We log administrator and user activities.
17. We process the personal data received from different clients so that in each step of the processing the Client can be identified and so that data is always physically or logically separated.
18. We create back-up copies stored in protected environments.
19. We perform regular restore tests from our backups.
20. We do not use personal data for any purpose other than what have been contracted to perform.
21. We do not remove Client Data from our business computers or premises for any reason (unless you have specifically authorised such removal for business purposes).
22. Whenever a user leaves his or her desk unattended during the day and prior to leaving the office at the end of the day, he or she is required to place any documents containing Client Data in a secure environment such as a locked desk drawer, filing cabinet, or other secured storage space.
23. We ensure that each computer system runs a current anti-virus solution.
24. We have designated a responsible person to perform the functions of a data protection officer.
25. We have obtained the written commitment of our employees to maintain confidentiality and to comply with our requirements under the DPA and the GDPR.
26. We regularly train our staff on data privacy and data security.
At Bloom, we are committed to protecting the privacy of our users. This privacy statement outlines our practices regarding the collection, use, and protection of personal information from potential clients and potential employees.
EXHIBIT D
List of Subprocessors
