Data Processing Agreement
Effective Date: May 15th, 2025
- The JobzMall customer identified on the applicable ordering document for JobzMall services (“Customer”, “Client” , “you”); and
- The JobzMall entity identified on such ordering document (“JobzMall” , together with its Affiliates, the “Processor” where applicable).
Customer and JobzMall are referred to individually as a “Party” and together as the “Parties”
1. Scope and Roles
1.1 Purpose. This DPA governs JobzMall’s Processing of Personal Data on behalf of Customer when, and only to the extent that, JobzMall acts as a Processor (or equivalent term under Applicable Data Protection Law) in relation to such Personal Data in the course of providing the Services under the Primary Agreement (“Client Personal Data”).
- (i) Job Seeker Data: Any Personal Data provided directly to JobzMall by a Job Seeker who has established a direct relationship with JobzMall via the JobzMall User Terms of Service (including profiles, resumes, and video intros). For clarity, all Personal Data provided by a Job Seeker in connection with applying to any job on the JobzMall platform constitutes Job Seeker Data, regardless of which employer posted the job.
- (ii) Platform Usage Data: Data relating to the operation, support, and use of the Services, including query logs, metadata, and analytics. JobzMall may Process Platform Usage Data for analytics, reporting, service optimization, and the development of new features.
- (iii) Business Contact Information: Contact details of Customer’s employees used for billing and contract administration.
2. Definitions
2.1 Capitalized terms used but not defined in this DPA shall have the meanings given to them in the Primary Agreement.
- Applicable Data Protection Law means all data protection laws that apply to the Processing of Client Personal Data under the Primary Agreement, including GDPR, UK GDPR, Swiss FADP, and CCPA/CPRA.
- Client Personal Data means Personal Data that Customer uploads to the Services or that JobzMall Processes on Customer's behalf, for which Customer is the Controller. Client Personal Data expressly excludes Job Seeker Data, Platform Usage Data, and Business Contact Information.
- Job Seeker Data means Personal Data relating to an individual job seeker who has accepted JobzMall’s User Terms of Service.
- Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data Processed by JobzMall in its capacity as Processor.
- Subprocessor means any third party (including JobzMall Affiliates) engaged by JobzMall to Process Client Personal Data on behalf of Customer.
- Technical and Organizational Measures (“TOMs”) means the security measures described in Appendix B.
3. Customer Responsibilities
3.1 Compliance & Accuracy. Customer is solely responsible for: (i) the accuracy, quality, and legality of Client Personal Data and the means by which Customer acquired it; (ii) complying with all Applicable Data Protection Laws regarding the collection and use of Client Personal Data, including obtaining necessary Consents and providing privacy notices; and (iii) ensuring that its instructions to JobzMall comply with applicable laws. Customer acknowledges that JobzMall is not responsible for determining whether JobzMall’s Security Measures meet Customer’s specific legal or industry obligations.
3.2 Instructions. Customer’s instructions to JobzMall are set out in the Primary Agreement and this DPA. Customer shall not instruct JobzMall to Process Client Personal Data in violation of law.
4. JobzMall’s Obligations as Processor
4.1 Processing on Instructions. JobzMall will Process Client Personal Data only on Customer’s documented instructions or where required by law.
4.2 Security & Confidentiality. JobzMall will implement and maintain appropriate TOMs (Appendix B) to protect Client Personal Data. JobzMall shall ensure that persons authorized to process Client Personal Data are subject to appropriate confidentiality obligations.JobzMall may modify or update the TOMs at its discretion from time to time, provided that such modification or update does not result in a material degradation in the overall security of the Services.
4.3 Assistance. JobzMall will provide reasonable assistance to Customer (at Customer’s cost) with Data Protection Impact Assessments (DPIAs) and prior consultations with Supervisory Authorities, where required by law.
4.4 Data Subject Requests. If JobzMall receives a request from a Data Subject regarding Client Personal Data, JobzMall will notify Customer and not respond except on Customer’s instructions.
5. Personal Data Breach
5.1 Notification. JobzMall will notify Customer without undue delay (within 72 hours where feasible) after becoming aware of a Personal Data Breach affecting Client Personal Data.
5.2 Cooperation. JobzMall will investigate the breach and cooperate reasonably with Customer regarding notifications to regulators or Data Subjects.
6. Data Deletion and Return
Upon termination or expiry of the Services for which JobzMall Processes Client Personal Data as Processor, JobzMall will, at Customer’s choice, delete Client Personal Data or return Client Personal Data to Customer, unless retention is required by law. JobzMall may retain copies in backup systems, which will be isolated and deleted in accordance with JobzMall’s backup retention schedule.
7. Subprocessors
7.1 Authorization. Customer generally authorizes JobzMall to engage Subprocessors.
7.2 Obligations. JobzMall shall impose on each Subprocessor data protection obligations that are substantially similar to those set out in this DPA, as required by Article 28(4) GDPR.
7.3 Objection & Cost. JobzMall will provide notice of new Subprocessors. If Customer reasonably objects within ten (10) business days, the Parties will seek an alternative.If Customer’s objection is based on anything other than the new Subprocessor’s failure to comply with Applicable Data Protection Law, JobzMall shall not be obligated to provide the affected Services, and Customer shall be responsible for any costs associated with implementing an alternative solution. If no solution is agreed, either Party may terminate the affected Services, and JobzMall will refund pro-rata fees.
8. International Transfers
8.1 Mechanisms. JobzMall will not transfer Client Personal Data outside its country of origin except via a valid mechanism (e.g., EU SCCs, UK Addendum, or the Data Privacy Framework).
8.2 SCCs. For transfers from the EEA/Switzerland/UK to a third country without adequacy, the applicable Standard Contractual Clauses (Module 2) are incorporated by reference. The Parties select the supervisory authority of the Data Exporter as the competent authority for the SCCs.
9. Audits
9.1 Paper Audit. JobzMall will provide its latest security certifications (e.g., SOC 2) upon request to demonstrate compliance.
9.2 On-Site Audit. If certifications are insufficient, Customer may conduct an on-site audit no more than once per year (unless required by a Supervisory Authority). Such audit shall occur during normal business hours, upon at least sixty (60) days' prior written notice, and at Customer’s sole expense. The audit shall be limited to three (3) business days and shall not unreasonably interfere with JobzMall’s business operations. Customer shall be responsible for any costs incurred by JobzMall in supporting such audit.
10.1 Roles. Regarding Client Personal Data subject to CCPA/CPRA, JobzMall is a “Service Provider” and/or “Contractor, ” and Customer is a “Business. ”
10.2 Restrictions.
JobzMall will not: (a) “Sell” or “Share” Client Personal Data; (b) Retain, use, or disclose Client Personal Data outside the direct business relationship between JobzMall and Customer; or (c) Combine Client Personal Data with personal information received from other sources, except to the extent permitted by CCPA/CPRA. (Note: This restriction does not apply to Job Seeker Data).
10.3 Verification. Upon Customer’s reasonable request, JobzMall will make available information necessary to demonstrate compliance with the CCPA/CPRA Service Provider/Contractor requirements.
11. Limitation of Liability
11.1 Cap. The limitations and exclusions of liability set out in the Primary Agreement apply to this DPA and any SCCs executed in connection with it, to the maximum extent permitted by Applicable Data Protection Law.
11.2 Instruction Immunity. JobzMall will not be liable for any claim brought by a Data Subject or third party arising from or related to JobzMall’s action or omission to the extent that JobzMall was acting in accordance with Customer’s documented instructions.
12. Miscellaneous
12.1 Conflict. This DPA prevails over the Primary Agreement regarding Client Personal Data.
12.2 Governing Law. Governed by the law specified in the Primary Agreement (California), unless SCCs require otherwise.
12.3 No Joint Controllers.
Nothing in this DPA shall be construed as creating a joint controller relationship between the Parties.
Appendix A – Details of Processing
- Data Exporter: Customer (Controller).
- Data Importer: JobzMall, Inc. (Processor).
A.2 Subject Matter Processing of Client Personal Data (e.g., employer notes, private ratings, unlisted job data, candidate data prior to JobzMall User conversion) to provide the Services.
A.3 Categories of Data Subjects Customer employees and candidates who have not yet established a direct relationship with JobzMall.
JobzMall will implement measures including:
- Encryption: TLS for data in transit; AES for data at rest.
- Access Control: Role-based access; MFA; regular review.
- Security Program: Designated security team; regular vulnerability scanning.
- Vendor Management: Due diligence on Subprocessors.
- Business Continuity: Daily backups and disaster recovery plans.