DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) reflects the parties’ agreement with respect to the terms governing the processing of Personal Data under the Terms of Service. This DPA is an addendum to the Terms of Service and is effective upon its incorporation into the Terms of Service. The Terms of Service means the Software as a Service agreement that concerns the HireFire Services (https://www.hirefire.io). The term of this DPA shall follow the term of the Terms of Service. Terms not otherwise defined herein shall have the meaning as set forth in the Terms of Service.

Final Creation, incorporated and registered under the laws of the Netherlands and having its registered office at Gooimeerpromenade 111, 1277 EW Huizen, the Netherlands, registered with the Dutch Chamber of Commerce (KvK) under number 32157031, hereinafter referred to as “Processor” and the Customer hereinafter referred to as “Controller”. Processor and Controller are hereinafter also referred to individually as “Party” or collectively as “Parties”

Whereas:

• Under the DPA, the Processor provides the Service as provided under the Terms of Service to the Controller and in the context of these services, Processor will process (personal) data on Controller’s behalf.
• Pursuant to article 28 of the GDPR, Parties wish to enter into this agreement in order to stipulate the conditions applicable to their relationship regarding the aforementioned activities on behalf of Controller.

The Parties agree as follows:

Article 1 - Definitions

1.1 In this agreement, the following terms indicated with a capital, whether single or plural, will have the following meaning:

• Attachment: An attachment to this Data Processing Agreement that is an inextricable part thereof;
• GDPR: The General Data Protection Regulation (2016/679/EU);
• Personal Data: Data which is directly or indirectly traceable to a natural person as defined in article 4(1) of the GDPR;
• Processing: Any act in relation to Personal Data as defined in article 4(2) of the GDPR.
• DPA: This agreement between the Controller and the Processor;

1. The terms Controller and Processor shall have the same meaning as provided in article 4 of the GDPR.
2. Any other terms that occur both in this agreement, as well as the GDPR, shall have the meaning prescribed to them in article 4 of the GDPR.

Article 2 - Controller and Processor of the Personal Data (article 24, 28 and 29 GDPR)

• 2.1 Processor undertakes to Process the Personal Data under this DPA on behalf of Controller.
• 2.2 Controller guarantees that the order to Process the Personal Data is in accordance with all relevant and applicable laws and regulations. Controller indemnifies Processor against all damage and costs arising from and/or related to claims of third parties in connection with not fulfilling this guarantee.
• 2.3 Controller is responsible for the Processing of the Personal Data as described in this DPA.
• 2.4 An overview of the way the Personal Data is supplied, the categories of Personal Data, the categories of data subjects, the nature and purposes of the Processing is provided in Attachment I to this DPA.

Article 3 - Confidentiality

• 3.1 Without prejudice to any existing contractual arrangements between the Parties, the Processor will treat all Personal Data as strictly confidential. The Processor shall ensure that all persons authorized to Process the Personal Data are bound to confidentiality.
• 3.2 These obligations will not prevent a Party from sharing information with a third party to the extent such disclosure is mandatory under applicable law.

Article 4 - Security

• 4.1 Processor shall implement and maintain appropriate technical and organizational measures that are designed to protect and preserve the security and confidentiality of any personal data in accordance with HireFire's security standards, as further described on the Processor’s website at https://www.hirefire.io/security. Considering the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the data to be protected.
• 4.2 The Controller is responsible for reviewing the information made available by Processor relating to data security and should make an independent determination as to whether the Service meets the Controller’s requirements and legal obligations under any data protection laws. The Controller acknowledges that the security measures are subject to technical progress and development and that HireFire may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Controller.

Article 5 - Third parties and subcontractors

• 5.1 Processor may engage third parties and/or subcontractors for the Processing of Personal Data under this DPA.
• 5.2 Processor is responsible for these third parties and/or subcontractors and shall impose upon the third parties and/or subcontractors the same conditions, duties and responsibilities as contained in this DPA in accordance with article 28.4 GDPR. In accordance with articles 28.3.d; 28.2 and 28.4 GDPR, Processor shall inform (in writing) Controller of any intended changes concerning the addition or replacement of these third parties and/or subcontractors, providing Controller with the opportunity to object to such changes within one week.

Article 6 - International data transfer (Chapter V GDPR)

• 6.1 Countries located inside the EEA will be assumed as having an adequate level of protection due to their obligations to comply with GDPR.
• 6.2 Processor shall only transfer Personal Data to a country outside of the European Economic Area (EEA) when either:
• a. There is an adequate level of protection of the data (as described in articles 44-50 GDPR) or;
• b. without an adequate level of protection if such transfer is allowed or required under applicable law (Article 49 GDPR).
• 6.3 Processor guarantees that subcontractors will only transfer data outside of the EEA in conformity with article 6.2 of this Agreement.

Article 7 - Information and audit (article 28.3.h GDPR)

• 7.1 If Processor believes an instruction of Controller causes a breach with the GDPR or other applicable legislation, it will immediately inform in written Controller. Parties will seek an appropriate solution together in case any external developments endanger the lawfulness of the Processing of Personal Data as described in this Agreement.
• 7.2 Processor will provide upon Controller’s written request all information reasonably deemed necessary to demonstrate compliance with this DPA.
• 7.3 If applicable data protection law affords Controller an audit right, Controller’s appointed external auditor may, no more than once annually, carry out an inspection of Processor’s operations and facilities with respect to the Processing of Personal Data. Controller must provide Processor sixty (60) days written notice of such intention to audit, conduct its audit during normal business hours, and take reasonable measures necessary to prevent unnecessary disruption to Controller’s operations. Prior to any audit being conducted, the Parties will agree any such audit shall be subject to Controller’s security and confidentiality terms and guidelines. Controller shall be responsible for any costs arising from such audit.

Article 8 - Cooperation of Processor: Data Breaches and Data Subject Requests (articles 33-34 GDPR)

• 8.1 Processor shall notify Controller within 36 hours after it obtains knowledge of a (possible) security incident pertaining to the Processing of Personal Data. In the event of a security incident Processor will offer Controller its reasonable assistance.
• 8.2 After Processor has obtained knowledge of a security incident as meant in article 8.3 below Processor shall take reasonable measures to mitigate the results of the incident as much as possible.
• 8.3 The term “security incident” as used in this article, includes, but is not limited to:
• a. every unauthorized or unlawful Processing, deletion or loss of Personal Data;
• b. every breach of the security and/or confidentiality which results in an unlawful Processing, deletion or loss of Personal Data, or any indication that such a breach will occur or already has occurred.
• 8.4 If Processor receives a complaint or a request (articles 12-23 GDPR) from a natural person regarding the Personal Data (such as a request to access, rectification or erasure), Processor will notify Controller within one week after receiving the complaint or request and will offer Controller its reasonable assistance.
• 8.5 All notifications made based on this article will be directed to the contract details of the contact person of Controller as stated below. Controller is responsible for keeping these contact details up to date and it warrants it will forward changes in the contact details as soon as possible.

Article 9 - Liability (Article 82 GDPR)

• 9.1 Processor is responsible for the proper implementation of the technical and organizational measures as set out in this DPA. Processor is not liable if these measures turn out to be insufficient.
• 9.2 Controller indemnifies Processor against claims of third parties, including Data Protection Authorities, ensuing from the Processing of Personal Data as set out in this DPA.
• 9.3 Any liability of Processor due to imputable failure to perform the agreement or on any other ground, is governed by the limitation of liability as agreed upon in the Terms of Service between Parties.

Article 10 - Term and termination

• 10.1 Either Party may, without judicial intervention, terminate this DPA with immediate effect upon the occurrence of any of the following events:
• (i) the other Party applies for or is granted a suspension of payments by court order, or any other event due to which that Party loses absolute control of its property;
• (ii) a bankruptcy petition is filed against the other Party or if a court of law declares a bankruptcy (or other relevant order) of the other party;
• (iii) the other Party discontinues its business and/or goes into voluntary liquidation;
• (iv) the other Party commits a breach of any of the provisions of the DPA and, in the event of a remediable breach, if such breach is not remedied within fifteen (15) days of receipt of written notice demanding that the breach be remedied.
• 10.2 The obligations from this DPA which are by their nature destined to continue after termination accordingly remain in force after termination of this DPA.
• 10.3 Processor will not store the Personal Data longer than is necessary for the purposes for which the data were collected, in accordance with article 5.1.c GDPR. Processor works with a tail period of 3 months for the purposes of debugging and disaster recovery. This means that for a period of three (3) months after termination of the DPA the Processor will retain the data collected.
• 10.4 During this term Processor shall, upon the request of Controller, provide Controller with the Personal Data it currently Processes in a format as decided on by Processor.

Article 11 - Deletion

At the expiry of termination of the Terms of Service, Processor will, at Controller’s option, delete or return all Personal Data to Controller, except where Processor is required to retain copies under applicable laws, in which case Processor will isolate and protect that Personal Data from any further processing except to the extent required by applicable laws.

Article 12 - Applicable law and competent court

• 12.1 This DPA is governed by the laws specified in the Terms of Service.
• 12.2 All controversies, disputes or claims arising out of or relating to this DPA will be settled by the court specified in the Terms of Service.

Article 13 - Updates to Data Processing Agreement

Final Creation may update this DPA from time to time. Any changes will become effective upon posting of the revised DPA.

Appendix I - Details of the processing of Personal Data

Categories of personal data:

Personal data relating to individuals provided to HireFire via the Site and processed on behalf of and at the directions of the Controller, and can pertain to the following categories of data, as applicable and depending on the services provided under the Terms of Service:

• Personal and Business Contact information (company, email, phone, physical address)
• Browsing information
• Social media information
• User account information
• Connection data
• Localisation data
• Other data

Categories of data subjects:

Data subjects includes the individuals about whom personal data is provided to HireFire through the Site and processing on behalf of and at the directions of the Controller which can pertain to data relating to the following categories of data subjects, as applicable and depending on the services provided under the Terms of Service:

• Visitors and users (Account) of the Processor’s website(s)
• Registered users (Subscription) of the Processor’s website(s)
• Other

Processing operations (nature and purpose of processing):

The specific processing activities to be carried out by the Processor are related to and necessary for the delivery of the HireFire services, and are subject to the applicable HireFire account and the applicable Terms of Service.

Appendix II – HireFire Sub-Processors

For the agreement concluded between the Controller and the Processor, the subcontractors used are included in the table below. Processor shall inform the Controller of any additional sub-contractors recruited by the Processor as stipulated in article 5.