Data Protection Addendum ("DPA")
This Data Protection Addendum (“DPA”) is part of the underlying agreement between Arena Talent Inc. (“Arena”) and Customer for Arena’s provision of Services (each, the “Agreement”). In the event of any conflict between the terms of this DPA and the other terms of this Agreement, this DPA will govern.
Definitions
1. In this DPA:
a. “Applicable Law” means all laws, regulations and other legal requirements applicable to either (i) Arena as provider of the Services or (ii) Customer as user of the Services. For example, to the extent applicable, this includes the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the UK General Data Protection Regulation (“UK Data Protection Law”); the Swiss Federal Act on Data Protection (“Swiss FADP”); the California Consumer Privacy Act, as amended by the California Privacy Rights Act and together with associated regulations (“CCPA”); as well as U.S. state laws similar to the CCPA to the extent applicable (together with the CCPA, as they become effective, the “U.S. State Privacy Laws”).
b. “Designated Address” means Customer’s email address provided by Customer during account registration.
c. “Personal Data” means any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies), any information that qualifies as “personal information” under the CCPA (regardless of whether the CCPA applies) and any other information defined as “personal information,” “personal data,” or an analogous term in Applicable Law.
d. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, disclosure or other Processing of, or access to, Customer Personal Data.
e. “Process” and “Processing” mean any operation or set of operations performed on data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
f. “Standard Contractual Clauses” refers to the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and completed as described in the “Data Transfers” section below.
g. “Subprocessor” means a subcontractor engaged by Arena for the Processing of Customer Personal Data.
h. “UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 12 April 2023), completed as described in the “Data Transfers” section below.
2. For ease of reading, some other terms are defined later in the DPA. Capitalized terms not otherwise defined in the DPA will have the meaning set forth in this Agreement.
Scope, Relationship of the Parties, and Data Use Limitations
3. Arena operates a platform (the “Arena Platform”) that (i) allows job seekers (“Candidates”) to create their own account, set up a profile, and use that profile to apply for jobs with multiple employers participating in the Arena Platform and (ii) allows employers or their representatives to receive those job applications and engage in other recruiting activities. Arena maintains a database of the accounts and profiles that Candidates create (the “Arena Candidate Database”). With each Candidate’s consent, Arena may make some or all of the Candidate’s profile available for employers and their representatives to search and review.
4. As part of the Services, Customer can use the Arena Platform for its recruiting purposes. One or more members of Customer’s workforce (depending on subscription type) will receive a seat within Customer’s account on the Arena Platform to administer and use that account on Customer’s behalf. Such Customer workforce members shall be referred to as “Customer’s Recruiters.” Depending on Customer’s subscription type, Customer may also be able to establish a connection allowing certain data exchanges between the Arena Platform and Customer’s unrelated applicant tracking system operated by Customer or by Customer’s own third-party service provider (the “Customer ATS”).
5. The Arena Platform allows for a variety of direct communications between Candidates and participating employers (“Direct Communications”), such as the Candidate’s submission of a job application, the employer’s communication of a decision to the Candidate, and (depending on the employer’s subscription level) additional one-to-one communication, such as direct messaging. The term “Direct Communications” does not include the generally available job description, company description, or other materials that the employer publishes for viewing by all Candidates but instead refers to one-to-one communication between the employer and the Candidate that takes place through the Arena Platform. To help Candidates and employers stay organized, the Arena Platform generally allows each party to a Direct Communication to see (and, if they wish, delete) their own copy of each Direct Communication that such party has sent or received. For example, the Candidate can see a copy of the job application she submitted to an employer, and the employer also can see its own copy of that job application. One party’s deletion of its copy of a Direct Communication or closure of its own account does not affect the other party’s copy or account.
6. Customer Personal Data means:
a. All Personal Data about Customer’s Recruiters acting in such capacity;
b. All Personal Data in Customer’s copy of Direct Communications that Customer sends or receives;
c. All Personal Data that Customer creates in or provides to the Arena Platform regarding Candidates that is not in a Direct Communication (such as Customer’s Recruiters’ internal impressions and Customer’s interviewer notes regarding a Candidate); and
d. Any other Personal Data in the Customer ATS that Arena Talent Processes in connection with the Agreement.
7. For clarity, Customer Personal Data does not include:
a. Personal Data in the Candidate’s copy of any Direct Communications; and
b. The Arena Candidate Database.
8. Unless required by Applicable Law, Arena will Process the Customer Personal Data only to (i) provide and ensure the proper operation of the Services; and (ii) carry out Customer’s reasonable written instructions that are consistent with this Agreement. Without limiting the foregoing, Arena:
a. shall not “sell” the Customer Personal Data, as such term is defined in the U.S. State Privacy Laws (regardless of whether such laws apply);
b. shall not “share” the Customer Personal Data, as such term is defined in the CCPA (regardless of whether the CCPA applies) or otherwise disclose it for targeted advertising purposes;
c. shall not retain, use, or disclose any Customer Personal Data outside of the direct business relationship between Customer and Arena, or for any purpose (including any commercial purpose) other than the limited business purposes specified in this DPA;
d. shall comply with any applicable restrictions under Applicable Law on combining the Customer Personal Data that Arena receives from, or on behalf of, Customer with Customer Personal Data that Arena receives from, or on behalf of, another person or persons, or that Arena collects from any other interaction between Arena and a data subject;
e. shall provide the same level of protection for the Customer Personal Data subject to the CCPA as is required under the CCPA; and
f. hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.
9. If Applicable Law requires Arena to engage in Processing of Customer Personal Data not permitted by the above, Arena will first inform Customer of the relevant legal requirement unless Applicable Law prohibits such notification on important grounds of public interest. Arena will notify Customer as soon as legally permissible if, for any other reason, Arena determines that Arena can no longer meet its obligations under Applicable Law.
10. Nothing in this DPA shall be construed to prohibit Arena from lawfully using information about Customer’s use of the Services, including features powered by artificial intelligence and machine learning, to improve the Services and publish reports with aggregate recruitment-related insights so long as the input for and output of such process (a) cannot, directly or indirectly, identify, be traced back to or otherwise be associated with Customer or any individual; (b) does not, and cannot be reverse-engineered to, contain or constitute Personal Data; and (c) does not, and cannot be reverse-engineered to, contain or constitute any Confidential Information of Customer.
11. Customer has the right to take reasonable and appropriate steps to (a) ensure that Arena is using the Customer Personal Data consistent with Customer’s obligations under Applicable Law, and (b) stop and remediate unauthorized use of the Customer Personal Data.
12. Customer may use job applications and other Personal Data it receives from the Services (such as results from querying the Arena Candidate Database) solely for its lawful recruiting and compliance purposes.
Confidentiality and Training
13. Arena will ensure that the persons Arena authorizes to Process the Customer Personal Data are contractually required to maintain the confidentiality of such data.
Security
14. Arena will comply with its security obligations under Applicable Law. Arena will assist Customer in Customer’s compliance with such obligations by implementing the measures set forth in Schedule B. Arena may make future replacements or updates to the measures, so long as the measures continue to comply with Applicable Law and do not lower the level of security provided for the Customer Personal Data.
15. Arena will not be liable for harm arising from Customer’s failure to use Arena security features.
Subprocessors
16. Arena may subcontract the collection or other Processing of Customer Personal Data (i) only in compliance with Applicable Law regarding subprocessing, (ii) only with Customer’s consent and (iii) only if Arena has imposed contractual obligations on the Subprocessor that are substantially the same as, or more restrictive than, those imposed on Arena under this DPA.
17. Current Subprocessors are listed at www.arenatalent.com/subprocessors. When any new Subprocessor is engaged, Arena will notify Customer by email to the Designated Address (“Subprocessor Notification”) at least 14 days prior to giving the Subprocessor access to the Customer Personal Data (the “Subprocessor Notification Period”).
18. If Customer has any reasonable objection to the new Subprocessor, Customer has 10 days from the date of the Subprocessor Notification to email Arena at legal@arenatalent.com explaining in reasonable detail the basis of the objection and (if Customer desires) Customer’s intent to terminate Customer’s subscription to the Services if it is not resolved to Customer’s satisfaction by the end of the Subprocessor Notification Period. Arena will give prompt attention to this objection, and, if Customer’s objection indicated an intent to terminate, and Customer and does not withdraw the termination notice in writing to legal@arenatalent.com by the end of that period, the termination will take effect at that time. Promptly after termination, Arena will refund any unused prepaid fees. Customer is deemed to consent to the new Subprocessor if Customer does not terminate the subscription as set forth above.
19. Arena remains liable for its Subprocessors’ acts and omissions to the same extent Arena is liable for its own.
Assistance Responding to Individuals’ Requests to Exercise Rights
20. If Arena receives a request from an individual or their representative to exercise rights under Applicable Law with respect to Customer Personal Data (a “Data Subject Request”), such as rights to access, correct, or delete their Customer Personal Data, or a complaint related to such data from an individual or their representative, and the communication identifies Customer, Arena will forward the communication to Customer at the Designated Address:
a. as soon as commercially practicable; but
b. no later than within 72 hours of receipt if the communication arrives via legal@arenatalent.com or any other contact method specified in Arena’s then-current publicly available Privacy Policy.
21. Customer will be responsible for lawfully addressing the Data Subject Request, and Arena will provide prompt, reasonable cooperation to Customer, taking into account the nature of the Services and the information available to Arena.
Personal Data Breach Notification
22. Arena will comply with the Personal Data Breach-related obligations applicable to it under Applicable Law. Arena will assist Customer in complying with those applicable to Customer by informing Customer of a confirmed Personal Data Breach without undue delay and in any event within 48 hours of becoming aware and by otherwise complying with this “Personal Data Breach Notification” section of the DPA.
23. Arena will provide such notification to Customer at the Designated Address.
24. Such notification is not an acknowledgement of fault or responsibility. The notification will include Arena’s then-current assessment of the following:
a. The nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
b. The likely consequences of the Personal Data Breach; and
c. Measures taken or proposed to be taken by Arena to address the Personal Data Breach including, where applicable, measures to mitigate its possible adverse effects.
25. Arena will provide prompt updates to such information as it becomes available.
Assistance with DPIAs and Consultation with Supervisory Authorities
26. Arena will provide reasonable assistance to and cooperation with Customer, taking into account the nature of the Services and information available to Arena for (i) Customer’s performance of any data protection impact assessment of the Processing or proposed Processing of the Customer Personal Data involving Arena, and (ii) related consultation with supervisory authorities.
Data Return and Destruction
27. Arena will destroy all Customer Personal Data within 60 days after the termination of this Agreement except to the extent Applicable Law requires storage of the Personal Data.
28. In the event of such legally required retention, (i) Arena will inform Customer as soon as legally permitted, (ii) Arena will retain Customer Personal Data only as required by Applicable Law and will retain it only as long as is required, (iii) during the retention period, Arena will refrain from Processing the Customer Personal Data other than as required by Applicable Law and will continue to comply with this DPA with respect to the Customer Personal Data, to the extent permitted by Applicable Law, and (iv) Arena will promptly destroy the Customer Personal Data when Applicable Law no longer requires its retention.
29. If requested by Customer within 15 days after the termination of this Agreement, Arena will first return a copy of the Customer Personal Data to Customer in any reasonably requested format before the destruction described above.
30. Arena will provide certification of the destruction and/or return upon request.
Compliance Verification and Audits
31. Arena will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to reasonable audits of such compliance, including inspections; provided (i) such audits are not conducted more than once per year (unless requested by relevant supervisory authority or in response to a Personal data Breach); (ii) are conducted only during business hours; (iii) are conducted in a manner that causes minimal disruption to Arena’s operations and business.
32. Such reports and any other information that Customer obtains under this Compliance Verification and Audits section (other than Customer Personal Data) is confidential information of Arena, and Customer can use such material solely to assess Arena’s compliance with its contractual obligations to Customer and to address any related legal matters.
Data Transfers
33. Customer authorizes Arena to make international transfers of the Customer Personal Data only if (i) Applicable Law for such transfers is respected and (ii) the transfer is otherwise permitted by this DPA.
34. To the extent legally required, the Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and, except as set forth in Sections 34 or 35, they will be deemed completed as follows:
a. Customer, the exporter, acts as a controller and Arena, the importer, acts as Customer’s processor with respect to the Customer Personal Data subject to the Standard Contractual Clauses, and its Module 2 applies. Their contact information is set forth in Schedule A.
b. Clause 7 (the optional docking clause) is included.
c. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth at www.arenatalent.com/subprocessors, and Arena shall update that list at least 14 days in advance of any intended additions or replacements of sub-processors.
d. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
e. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland.
f. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
g. Annexes I and II of the Standard Contractual Clauses are set forth in Schedule A of the DPA.
h. Annex III of the Standard Contractual Clauses (List of subprocessors) is inapplicable.
35. With respect to Customer Personal Data for which UK Data Protection Law governs the transfer, to the extent legally required, the UK SCC Addendum forms part of this DPA and takes precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows (with capitalized terms not defined elsewhere having the definition set forth in the UK SCC Addendum):
a. Table 1 of the UK SCC Addendum: The Parties, their details, and their contacts are those set forth in Schedule A.
b. Table 2 of the UK SCC Addendum: the “Approved EU Standard Contractual Clauses” shall be the Standard Contractual Clauses as set forth in Section 34 of this DPA.
c. Table 3 of the UK SCC Addendum: Annexes I(A), I(B), and II are in Schedule A of the DPA, and Annex III is at www.arenatalent.com/subprocessors.
d. Table 4 of the UK SCC Addendum: neither party may exercise the right set forth in Section 19 of the UK SCC Addendum.
36. With respect to Customer Personal Data for which the Swiss FADP governs the transfer, the Standard Contractual Clauses shall be deemed to have the following differences to the extent required by the Swiss FADP:
a. References to the GDPR in the Standard Contractual Clauses are to be understood as references to the Swiss FADP insofar as the data transfers are subject exclusively to the Swiss FADP and not to the GDPR.
b. The term “member state” in Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.
c. Under Annex I(C) of the Standard Contractual Clauses (Competent supervisory authority):
i. Where the transfer is subject exclusively to the Swiss FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
ii. Where the transfer is subject to both the Swiss FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority is as set forth in the Standard Contractual Clauses insofar as the transfer is governed by the GDPR.
Survival
37. This DPA survives termination of this Agreement for so long as Arena continues to Process the Customer Personal Data.
Schedule A to DPA
Annexes I and II of the Standard Contractual Clauses
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: Customer, as specified in the Agreement.
Address: as provided by Customer during account registration.
Contact person’s name, position and contact details: as provided by Customer during account registration.
Activities relevant to the data transferred under these Clauses: Use of the importer’s Services.
Signature and date: The Parties are deemed to have signed this Annex I by signing the Agreement.
Role (controller/processor): Controller
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: Arena Talent Inc.
Address: 8 The Green #10887, Dover, DE 19901
Contact person’s name, position and contact details: Parul Khosla, CEO, legal@arenatalent.com
Activities relevant to the data transferred under these Clauses: The importer will provide the Services.
Signature and date: The Parties are deemed to have signed this Annex I by signing the Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred: candidates and exporter’s internal staff.
Categories of personal data transferred: Contact details, professional information (and, for candidates, educational information and other details found in job applications).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Details relevant to diversity, inclusion, and belonging, which may include data about candidates’ health, religious or philosophical beliefs, union membership, sexual orientation, political beliefs. The importer will restrict access to this data on a need-to-know basis.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): On a continuous basis.
Nature of the processing: Receipt, transmission, organization, display, analysis, and storage of data.
Purpose(s) of the data transfer and further processing: Provision of the Services to Customer.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Provision of the Services to Customer as set forth in the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13:
The parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
See Schedule B immediately below.
Schedule B to DPA
Information Security Addendum
Arena has established and agrees to maintain a written information security program (the “Information Security Program”) designed to comply with this Information Security Addendum and Applicable Law.
As part of its Information Security Program, Arena has implemented and agrees to maintain administrative, technical, and physical security safeguards designed to protect the confidentiality, integrity, and availability of Personal Data, including but not limited to:
-
Administrative and Organizational Safeguards
-
Arena maintains policies and procedures for the security of Personal Data, including the following:
-
Written information security policies that set forth Arena’s procedures with regard to maintaining the safeguards set forth in this Information Security Addendum.
-
An incident response plan, which sets forth Arena’s procedures to investigate, mitigate, remediate, and otherwise respond to security incidents.
-
-
Arena conducts regular assessments of the risks and vulnerabilities to the confidentiality and security of Personal Data.
-
Arena regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.
-
Arena has appointed an individual to oversee and manage its Information Security Program and lead the response to any Personal Data Breach.
-
Arena maintains role-based access restrictions for its systems, including restricting access to only those Arena employees that require access to perform the Arena Services or to facilitate the performance of such Arena Services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.
-
Arena periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for Arena employees that no longer need such access.
-
Arena assigns unique usernames to authorized Arena employees and requires that Arena employees’ passwords satisfy minimum length and complexity requirements.
-
Arena regularly provides training to employees, as relevant for their roles, on confidentiality and security.
-
Arena requires relevant Arena employees to acknowledge Arena’s Information Security Program annually.
-
Arena has a policy in place to address violations of its Information Security Program.
-
-
Technical Security
-
Arena logs certain system activity—including authentication events, changes in authorization and access controls—and regularly reviews and audits such logs.
-
Arena maintains network security measures, including but not limited to firewalls, to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert Supplier to suspicious network activity, and anti-virus and malware protection software.
-
Arena has implemented workstation protection policies for its systems, including automatic logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.
-
Arena requires multi-factor authentication on key systems for workforce members acting as administrative users.
-
Arena conducts periodic vulnerability scans and assessments on systems storing, processing, or transmitting Personal Data to identify potential vulnerabilities and risks to Personal Data.
-
Arena remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, transmitting, or otherwise Processing Personal Data.
-
-
Physical Security
-
Arena’s policy is to restrict employees’ access to its facilities, equipment, and devices on a need-to-know basis.
-
Arena tracks the location of its equipment, devices, and electronic media and maintains a record of such locations.
-