Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement ("Agreement") between CareerBridgeIQ ("Processor," "we," "us," or "our") and you ("Controller," "you," or "Customer") for the provision of career development services ("Services").

​

This DPA reflects the parties' agreement regarding the Processing of Personal Data in accordance with applicable Data Protection Laws.

​

1. Definitions

For the purposes of this DPA:

​

• "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.

• "Data Protection Laws" means all applicable laws and regulations relating to privacy, data protection, and data security, including but not limited to:

  • General Data Protection Regulation (GDPR) (EU) 2016/679

  • UK Data Protection Act 2018 and UK GDPR

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

  • Other applicable U.S. state privacy laws

  • Any successor or replacement legislation

• "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.

• "Personal Data" means any information relating to an identified or identifiable natural person that is submitted to the Services by or on behalf of Controller.

• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, dissemination, restriction, erasure, or destruction.

• "Processor" means the entity that Processes Personal Data on behalf of the Controller.

• "Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

• "Sub-processor" means any Processor engaged by Processor to Process Personal Data.

​

2. Scope and Roles

​

2.1 Relationship of the Parties

• Controller acts as the Controller of Personal Data and determines the purposes and means of Processing.

• Processor acts as the Processor of Personal Data and Processes Personal Data only on behalf of and in accordance with Controller's documented instructions.

​

2.2 Scope of Processing

The subject matter, duration, nature, and purpose of Processing, and the types of Personal Data and categories of Data Subjects are described in Annex A to this DPA.

​

2.3 Controller's Responsibilities

Controller:

• Is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data

• Has provided all necessary notices and obtained all necessary consents and rights to permit Processor to Process Personal Data as described in this DPA

• Shall comply with all applicable Data Protection Laws with respect to its Processing of Personal Data

​

2.4 Processor's Instructions

• Processor shall Process Personal Data only in accordance with Controller's documented instructions as set forth in this DPA and the Agreement, unless required to do otherwise by applicable law

• The Agreement and this DPA constitute Controller's complete instructions regarding the Processing of Personal Data

• Additional instructions outside the scope of this DPA require prior written agreement between the parties

• If Processor believes that Controller's instruction violates Data Protection Laws, Processor will promptly inform Controller and may refuse to perform the instruction until Controller confirms or modifies it

​

3. Data Security and Confidentiality

​

3.1 Security Measures

Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents and to preserve the security and confidentiality of Personal Data, as described in Annex B (Security Measures).

​

3.2 Security Standards

Processor's security measures include, but are not limited to:

​

• Encryption of Personal Data in transit and at rest

• Regular security assessments and penetration testing

• Access controls and authentication procedures

• Logging and monitoring of systems

• Incident response and business continuity plans

• Regular security training for personnel

• Physical security controls for data centers

​

3.3 Updates to Security Measures

Processor may update or modify the security measures from time to time, provided that such updates do not result in the degradation of the overall security of the Services.

​

3.4 Confidentiality of Processing

Processor shall ensure that all personnel authorized to Process Personal Data:

​

• Are subject to appropriate confidentiality obligations

• Have received appropriate training on Data Protection Laws and data security

• Process Personal Data only as necessary to perform the Services or comply with legal requirements

​

3.5 Security Incident Response

In the event of a Security Incident, Processor shall:

​

• Notify Controller without undue delay after becoming aware (and in any event within 48 hours of discovery)

• Provide Controller with sufficient information to meet any obligations to report or inform Data Subjects of the Security Incident under applicable Data Protection Laws

• Take reasonable steps to mitigate the effects and minimize harm resulting from the Security Incident

• Cooperate with Controller and provide reasonable assistance in investigating and remedying the Security Incident

• Document Security Incidents and the actions taken in response

​

Notification of Security Incidents shall be delivered to: [insert Controller's security contact email]

​

4. Sub Processing

​

4.1 Authorized Sub-processors

Controller provides general authorization for Processor to engage Sub-processors to Process Personal Data, provided that Processor:

​

• Maintains a current list of Sub-processors

• Ensures that each Sub-processor is bound by written obligations that provide at least the same level of data protection as this DPA

• Remains fully liable to Controller for the performance of Sub-processor obligations

​

4.2 Sub-processor Changes

Processor shall:

​

• Provide Controller with at least 30 days' prior written notice of any intended changes concerning the addition or replacement of Sub-processors

• Give Controller the opportunity to object to such changes on reasonable grounds relating to data protection

 

4.3 Objection to Sub-processors

If Controller objects to a new Sub-processor:

​

• Controller must notify Processor in writing within 15 days of receiving notice

• The parties shall work together in good faith to find a mutually acceptable resolution

• If no resolution is reached within 30 days, Controller may terminate the affected Services without penalty upon written notice

​

5. Data Subject Rights​

​

5.1 Assistance with Data Subject Requests

Processor shall, to the extent legally permitted and taking into account the nature of the Processing:

​

• Promptly notify Controller if Processor receives a request from a Data Subject to exercise their rights under Data Protection Laws

• Provide reasonable assistance to Controller to respond to Data Subject requests, including requests for access, rectification, erasure, restriction of Processing, data portability, or objection to Processing

• Not respond to Data Subject requests directly without Controller's prior written authorization, except to confirm that the request relates to Controller

​

5.2 Data Subject Rights Tools

Processor shall provide Controller with commercially reasonable tools and functionality within the Services to enable Controller to:

​

• Access Personal Data

• Correct or update Personal Data

• Delete Personal Data

• Export Personal Data in a commonly used format

• Restrict Processing of Personal Data

​

5.3 Response Timeframes

Processor shall respond to Controller's requests for assistance with Data Subject requests within a reasonable timeframe, taking into account:

​

• The nature and complexity of the request

• Applicable legal timeframes for responding to Data Subject requests

• Processor's standard business hours and response times

​

​

6. Data Protection Impact Assessments and Audits​

​​

6.1 Data Protection Impact Assessments

Upon Controller's reasonable request, Processor shall provide information reasonably necessary to enable Controller to conduct data protection impact assessments or prior consultations with supervisory authorities as required by Data Protection Laws.

​

6.2 Records of Processing

Processor shall maintain records of all categories of Processing activities carried out on behalf of Controller as required by applicable Data Protection Laws.

​

6.3 Audit Rights

Controller may audit Processor's compliance with this DPA:

​

• Up to once per year, upon 30 days' prior written notice

• At Controller's expense

• During Processor's normal business hours

• Subject to reasonable confidentiality obligations

​

In lieu of such audit, Processor may provide Controller with:

• Copies of recent third-party audit reports or certifications (e.g., SOC 2 Type II, ISO 27001)

• Documentation demonstrating compliance with this DPA

​

6.4 Regulatory Audits

Processor shall allow for and contribute to audits and inspections conducted by Controller or a regulator or supervisory authority, to the extent required by applicable Data Protection Laws.

​

7. International Data Transfers​

 

7.1 Data Transfer Locations

Personal Data may be Processed and stored in the following locations: [insert countries/regions where data is processed]

​

7.2 Transfer Mechanisms

Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection:

​

• The parties agree that the Standard Contractual Clauses approved by the European Commission (Annex D) shall apply to such transfers

• Or, where applicable, Processor shall rely on other valid transfer mechanisms recognized under Data Protection Laws

​

7.3 Additional Safeguards

Processor warrants that it has implemented appropriate safeguards for international data transfers, including:

​

• Technical and organizational measures to protect Personal Data

• Encryption of data in transit and at rest

• Access controls and authentication

• Contractual commitments with Sub-processors located outside the EEA/UK

​

7.4 Government Access Requests

If Processor receives a legally binding request from a government authority for access to Personal Data:

​

• Processor shall attempt to redirect the authority to request the data directly from Controller

• If prohibited from doing so, Processor shall notify Controller of the request unless legally prohibited

• Processor shall challenge the request if it believes the request is unlawful

​

8. Data Retention and Deletion

​

8.1 Retention Period

Processor shall retain Personal Data only for as long as necessary to:

​

• Provide the Services to Controller

• Comply with legal obligations

• Resolve disputes

• Enforce agreements

​

8.2 Data Deletion

Upon termination or expiration of the Agreement, Processor shall (at Controller's election):

​

• Delete all Personal Data in its possession or control within 90 days, or

• Return all Personal Data to Controller in a commonly used electronic format within 30 days

​

8.3 Exceptions to Deletion

Processor may retain Personal Data to the extent:

​

• Required by applicable laws or regulations

• Stored in backup systems (which will be securely isolated and protected from further Processing, except to the extent required by law)

• Processor shall delete such retained Personal Data as soon as possible after the legal retention obligation ends

​

8.4 Certification of Deletion

Upon Controller's request, Processor shall provide written certification that Personal Data has been deleted in accordance with this DPA.

​

9. Liability and Indemnification

​

9.1 Processor Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.

​

9.2 Allocation of Liability (GDPR)

Under GDPR Article 82:

​

• Processor shall be liable for damages caused by Processing only where it has not complied with obligations specifically directed to Processors under GDPR or has acted outside or contrary to lawful instructions from Controller

• Controller and Processor shall be jointly and severally liable to Data Subjects for damages

​

9.3 Indemnification

Each party shall indemnify and hold harmless the other party from and against all claims, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

​

• Its breach of this DPA

• Its violation of applicable Data Protection Laws

• Its negligence or willful misconduct

​

10. Liability and Indemnification

​

10.1 Term

This DPA shall commence on the Effective Date and continue for the duration of the Agreement or until all Personal Data is deleted or returned in accordance with Section 8.

​

10.2 Termination

This DPA may be terminated:

• By either party if the other party materially breaches this DPA and fails to cure such breach within 30 days of written notice

• Upon termination or expiration of the Agreement

• As provided in Section 4.3 (Objection to Sub-processors)

​

10.3 Effect of Termination

Upon termination of this DPA:

• Processor shall cease all Processing of Personal Data

• The data deletion or return obligations in Section 8 shall apply

• Sections that by their nature should survive (including Sections 3, 8, 9, and 11) shall survive termination

​