Data processing agreement

This Data Processing Agreement, including Appendices, (“DPA”) is incorporated into and forms part of the Agreement between Customer and Testlify, Inc. (hereafter “Testlify”).

Scope

This DPA between Customer, and if applicable, Customer’s Affiliates, and Testlify contains the legal terms and conditions that apply to the processing of End User Data, which may include personal data, by any of the Services.

Definitions

The following definitions apply throughout this DPA:

  • “Agreement” means Testlify End User Agreement, unless a separate agreement governing the use of the Services exists between the parties.
  • “Data protection laws” means data protection laws applicable to Testlify in its processing of personal data under this DPA, including, where applicable, the GDPR and the CCPA.
  • “DPA” means this Customer Data Processing Agreement.
  • “End user data” means data that may be accessed or collected by the Services during the relationship governed by the Agreement, in the form of logs, session data, telemetry, user data, usage data, threat intelligence data, and copies of potentially malicious files detected by the Product. End User Data may include confidential data and personal data, such as source and destination IP addresses, active directory information, file applications, URLs, file names, and file content.
  • “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • “Information security measures” the technical and organizational measures for ensuring the security of the processing.
  • “Security incident” means any unauthorized access to any End User Data stored on Testlify’s equipment or in Testlify’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of End User Data that compromises the privacy, security or confidentiality of such End User Data.

Terms used in this DPA that are specifically defined in the GDPR shall have the same meaning as set forth in the GDPR. Terms used in this DPA that are not specifically defined in the GDPR shall have the same meaning as set forth in the Agreement.

Responsibilities of processing personal data as a processor

To the extent Testlify processes personal data on behalf of Customer as a processor (as defined by applicable Data Protection Laws), Testlify shall do so only on documented instructions from Customer pursuant to this DPA and the Agreement, to operate the Services, and as permitted or required by applicable law. Such instructions may include the configuration of the Product by the Customer. Testlify shall immediately inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.

  • Testlify processes personal data as a processor as defined by applicable Data Protection Laws, the following shall apply:
    • Processing required by law. In the event Testlify is required by the applicable law to process Customer personal data, Testlify will carry out such processing and notify Customer of such legal requirement, unless such notification is prohibited by applicable law, giving Customer the ability to issue revised instructions or to cease using the Services.
    • Compliance with applicable data protection laws. Testlify will process Customer personal data in accordance with applicable Data Protection Laws and will make available to Customer upon request the information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and other applicable Data Protection Laws.
    • Data subject requests. Testlify shall provide reasonable assistance to Customer to comply with its obligations with regard to data subject rights under applicable Data Protection Laws, taking into account the nature of the data processing and the information available to Testlify. If Testlify or any sub-processor receives a request or a complaint from a data subject or its representative, including requests regarding the data subject’s rights under applicable Data Protection Laws, Testlify will forward the request without undue delay to Customer for handling unless Testlify is required by law to address that request. The Customer hereby authorizes Testlify to share the test data provided by a data subject with this data subject in case the latter requests such data from Testlify directly.
    • Data protection impact assessment. Upon Customer’s written request, Testlify shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services. Testlify shall also provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under applicable Data Protection Laws.
    • Authorized personnel. Testlify shall ensure that authorized personnel who process Customer personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, except where required by applicable law, Testlify will not share Customer personal data with third parties other than with authorized sub- processors.
    • Sub-processors. Customer authorizes Testlify to engage the sub-processors (identified at Appendix 1 to this agreement) to process personal data. In the event Testlify engages any new sub-processor, it will:
      • Notify Customer through the support portal within fifteen (15) days of such change to give Customer the opportunity to object to such sub-processing. If Customer objects to a new sub-processor, Testlify will then endeavor to offer alternate options for the delivery of the relevant Product that does not involve the new sub-processor, without prejudice to any of Customer’s termination rights;
      • Impose appropriate contractual obligations upon the sub-processor that are no less protective than this DPA; and
      • Remain responsible and liable for the sub-processor’s compliance with this DPA and for any acts or omissions of the sub-processor that cause Testlify to breach any of its obligations under this DPA.
    • Cross-border transfers. If Customer Personal Data is transferred outside the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, Testlify ensures such transfers comply with applicable data protection laws. Transfers will be subject to appropriate safeguards as described in Article 46 of the GDPR. Specifically, the Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021, along with any required UK Addendum or Swiss Addendum, are incorporated herein by reference and form an integral part of this DPA. Execution of this DPA constitutes execution of the SCCs.In response to the Schrems II decision, Testlify has implemented supplementary technical and organizational measures to ensure an adequate level of protection for Customer Personal Data. Details of these measures are outlined in our Information Security Measures.In the event of any conflict between the terms of this DPA and the SCCs, the terms of the SCCs shall prevail.
  • Safeguarding confidentiality and security of personal data. Testlify has implemented practices and policies to maintain appropriate organizational, physical, and technical measures to safeguard the confidentiality and security of Customer personal data, taking into account state of the art, the costs of implementation, the nature, scope, context, and purposes of processing as well as the rights and freedoms of natural persons, including as appropriate:
    • the pseudonymization, de-identification, or encryption of data;
    • the ability to restore the availability and access to Customer personal data in a timely manner in the event of a physical or technical incident; and
    • a process for regularly testing, assessing, and evaluating the effectiveness of Testlify’s Information Security Measures.
  • Incident response plan. Testlify shall implement and maintain an incident response plan that specifies actions, including containment, investigation, reporting, and remediation, to be taken in the event of a Security Incident.
  • Security incident. In the event of a Security Incident affecting Customer personal data, Testlify will, without undue delay: (a) inform the Customer of the Security Incident; (b) investigate and provide the Customer with available detailed information about the Security Incident; and (c) take reasonable steps to mitigate the effects and minimize any damage resulting from the Security Incident as required by applicable Data Protection Laws.
  • Audit. Testlify shall make available to Customer, upon written request, subject to appropriate confidentiality obligations, a summary copy of applicable third-party audit report(s) or certifications it maintains for its Services so that the Customer can verify Testlify’s compliance with this DPA, the audit standards against which it has been assessed, and the standards specified in the Security Measures.
  • Retention and deletion. Testlify shall process and retain all personal data processed on behalf of the Customer, including but not limited to Customer data, Candidate data, End User data, and any other data subjects under the Customer’s control, no longer than necessary for the purposes for which it is processed. Upon termination of this DPA or the Agreement, Testlify shall: (i) delete personal data that is no longer necessary to carry out any of the purposes under this DPA or the Agreement; or (ii) upon Customer’s request, provide options to return or erase, destroy, and render unrecoverable all such personal data, where reasonably possible and in compliance with applicable law. This obligation applies to all personal data processed by Testlify as Data Processor, including data contained within test results or other outputs generated during service delivery.

Details of personal data being processed

  • Subject matter: The subject matter of the Processing under this DPA is Customer Personal Information.
  • Duration: Testlify may Process Customer Personal Information under this DPA until the termination or expiration of the Agreement.
  • Purpose: The purpose of the Processing of Customer Personal Information under this DPA is to enable Testlify to deliver the Services and perform its obligations as set forth in the Agreement (including this DPA) or as otherwise agreed by the Parties in mutually executed written form.
  • Nature of the processing: To provide Services as described in the Agreement, Testlify will Process Customer Personal Information upon the instruction of Customer and in accordance with the terms of this DPA, including all applicable Addenda, and the Agreement.
  • Categories of data subjects: Customer determines the categories and extent of any Customer Personal Information that it discloses to Testlify, which may include without limitation Customer Personal Information relating to the following categories of data subjects:
    • Employees, contractors, consultants, and individuals belonging to Customer, or Customer’s clients’ and partners’ workforce; or
    • Candidates applying to a Customer open job position
    • Other individuals whose Personal Information is Processed as part of the provision of the Services.
  • Categories of personal information: Customer determines the categories of any Personal Information that it discloses to Testlify, which may include without limitation Customer Personal Information relating to the following categories:
    • Identification and contact data (e.g., name, address, phone number, title, email, other contact details);
    • Employment details (e.g., job title, role, manager);
    • Answers to test questions and results of tests
    • Additional data points processed, including but not limited to snapshots of user activity, screen recordings during assessments, geolocation data, and any other relevant user or session data captured during interactions with the platform.
    • IT information (e.g., entitlements, IP addresses, usage data, cookies data, online identifiers);
    • Domain and device information (e.g., hostnames and qualified hostnames);
    • Information contained in logs related to security events identified and captured by Services; and/or
    • Unstructured data provided to Testlify for the purpose of providing support services (e.g., packet capture (PCAP) for file testing).
  • Sensitive data transferred (if applicable): When Processing Personal Information, primarily with forensic investigations Product of which the purpose is to identify the underlying data, Testlify may process sensitive Personal Information. The nature and scope of the sensitive data that is transferred may not be known until after the Processing has taken place and may include: Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • Frequency: The transfer of information between the Parties to facilitate Testlify’ Processing on behalf of Customer will occur as needed until the termination of the Agreement.

Processing of end user data

Testlify shall process and retain all personal data processed on behalf of the Customer, including but not limited to Customer data, Candidate data, End User data, and any other data subjects under the Customer’s control, no longer than necessary for the purposes for which it is processed. Upon termination of this DPA or the Agreement, Testlify shall: (i) delete personal data that is no longer necessary to carry out any of the purposes under this DPA or the Agreement; or (ii) upon Customer’s request, provide options to return or erase, destroy, and render unrecoverable all such personal data, where reasonably possible and in compliance with applicable law. This obligation applies to all personal data processed by Testlify as Data Processor, including data contained within test results or other outputs generated during service delivery.

Compliance with laws

The parties shall process personal data in accordance with applicable Data Protection Laws. Customer represents and warrants that its use of the Services, its authorization for Testlify’ access to and any related submission of data, including any Customer personal data, to Testlify, complies with all applicable laws, including those related to data privacy, data security, electronic communication and the export of technical, personal or sensitive data.

PCI compliance

Testlify is not a payment processor and as such is not subject to compliance with PCI standards. However, Testlify acknowledges that credit card information may be provided by Customer during the performance or use of the Services and therefore Testlify shall use information data security controls that are compliant with PCI standards.

Limitation of liability

This DPA does not modify Testlify’ liability, whether in contract, tort or under any other theory of liability, towards the Customer based on other terms in force between the Customer and Testlify.

Conflict of terms

In the event of a conflict between the terms of this DPA and other terms in force between the Customer and Testlify, the terms of this DPA shall prevail with regard to data processing activities.

Appendix 1 to DPA: List of Subprocessors

Serial No.SubprocessorData DescriptionCountry
1.AWSCustomer and candidate dataEU (DPA in place)
2.HubspotCustomer Data for Customer Relationship Management application (CRM)USA (DPA in place)
3.Twilio SendGridEmail and customer dataUSA (DPA in place)
4.ChargeBeeSubscription and financial dataUSA (DPA in place)
5.MixPanelCustomer and candidate usage dataEU (DPA in place)
6.`MergeATS IntegrationUSA (DPA in place)
7.MongoDB AtlasStoring and Retrieving DataEU (DPA in place)
8.AzureHosting and SecurityEU (DPA in place)
9.GCPGoogle Cloud Storage for data and encryptionEU (DPA in place)
10.HNR TechCandidate metadata, assessment logs, system diagnostics, and limited user identifiersIndia (DPA in place)

Appendix 2 to DPA: Information Security Measures

1. Scope

Taking into account the nature, scope, context, and purposes of processing, the state of the art, the costs of implementation, as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons, this document describes the technical and organizational measures that Company has in place and that will be implemented to secure Personal Data, End User Data, and Systems Data (collectively, “Data”) by any Company Product (“Measures”).

2. Definitions

“Agreement” means any underlying Company’ End User Agreement, Order Form, Engagement Letter, Statements of Work, or other legally entered and binding written, or electronic agreement entered into between Company and Customer that governs the provision of Products by Company.

“End User Data” means data that is provided by or on behalf of Customer to Company during the relationship governed by the Agreement. For the avoidance of doubt, End User Data does not include Systems Data.

“Personal Data” means any information Processed on behalf of the Customer during the provision of a Product that (i) relates to an identified or identifiable natural person; or (ii) is defined as “personally identifiable information”, “personal information”, “personal data” or similar terms, as such terms are defined under Data Protection Laws, including as may be used in this DPA.

“Product” means, collectively, Hardware, Software, Subscription, or any combination thereof, regardless of whether or not the Product was procured under an Enterprise Program.

“Systems Data” means data generated and/or collected in connection with Customer’s use of the Products, such as logs, session data, telemetry data, support data, usage data, threat intelligence or actor data, statistics, aggregated data, net flow data, copies of potentially malicious files detected by the Product, and derivatives thereof.

3. Security Management

3.1. Security Program

The company maintains a written information security program that:

  • is managed by a senior employee responsible for overseeing and implementing the program;
  • includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Data, and
  • is appropriate to the nature, size, and complexity of Company’ business operations.

3.2. Personnel Security

  • The skills and competence of employees and contractors are assessed as part of the hiring process. Required skills and competencies shall be listed in job descriptions and requisitions. Competency evaluations may include reference checks, education and certification verifications, technical testing, and interviews.

4. Due diligence on sub-contractors

4.1. Company will:

  • assess the security capabilities of any such subcontractors on a periodic basis to ensure subcontractors’ ability to comply with the Measures described in this document;
  • apply written information security requirements that oblige subcontractors to adhere to Company’ key information security policies and standards consistent with and no less protective than these Measures.

5. Logical security

5.1. Systems Access Control and Network Access Control

  • Company employs access control mechanisms that are intended to: (a) prevent unauthorized access to Data; (b) limit access to users who have a need to know; (c) follow the principle of least privilege, allowing access to only the Data and resources that are necessary; and (d) have the capability of detecting, logging, and reporting access to the system and network or attempts to breach security of the system or network.
  • Company users have an individual account that authenticates that individual’s access to the Data. Company does not allow sharing of accounts. Access controls including passwords are configured in accordance with industry standards and best practices.
  • Company maintains a process to review/audit controls (including access controls) on a minimum annual basis for all Company systems that transmit, process, or store Data.
  • Company configures remote access to all networks storing or transmitting Data to require multi-factor authentication for such access.
  • Company revokes access to systems and applications that contain or process Data promptly after the cessation of the need to access the system(s) or application(s).

5.2. Telecommunication and Network Security

  • Company deploys firewall technology in the operation of the Company’ sites. Traffic between Customer and Company will be protected and authenticated by industry standard cryptographic technologies.
  • Company deploys an intrusion detection system to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host.
  • Company implements network segmentation between the corporate enterprise network and hosting facilities for Data. Within hosting facilities, we apply separation between environments dedicated to development, staging, and production, with multiple layers of access.

5.3. Malicious Code Protection

  • Excepting specific servers dedicated to the analysis of compromised End User Data, Company workstations and servers run the current version of industry standard antivirus/anti-malware software with the most recent updates available on each workstation or server. Virus definitions are updated within twenty-four (24) hours of release by the software vendor. Company has anti-virus/anti-malware software configured to run real-time scanning of machines and a full system scan on regularly scheduled intervals.
  • Company scans incoming and outgoing content for malicious code on all gateways to public networks, including, but not limited to, email and proxy servers.

5.4. Data Loss Prevention

  • Company employs a comprehensive system to prevent the inadvertent or intentional compromise of Data.

6. Software development and maintenance

6.1. Open Source

  • Company evaluates and tracks vulnerabilities of open-source software (OSS) and other 3rd party libraries that are incorporated into the Products; Company performs static code analysis and manual code review, as required by risk. Security verifications, including penetration testing and multiple dynamic analysis tools, are conducted by third-party firms, red teams, and threat researchers.

6.2. Change Management

  • Company employs a documented change management program with respect to the Products as an integral part of its security profile. This includes logically or physically separate environments from production for all development and testing.

6.3. Vulnerability Management and Application Security Assessments

  • Company utilizes a qualified third party to conduct the application security assessments. Company may conduct the security assessment review directly, following industry standard best practices.

7. Storage, handling and disposal

7.1. Data Segregation

Company physically or logically separates and segregates Personal Data and End User Data from its other customers’ data.

7.2. Encryption of Electronic Form Data

Company utilizes strong industry standard encryption algorithms and key strengths (i.e., AES 256-bit at rest, TLS v1.2 in transit) to encrypt all Personal Data and End User Data in electronic form while in transit over all public wired networks (e.g., Internet) and all wireless networks.

8. Business continuity and disaster recovery

8.1. Company develops, implements, and maintains a business continuity management program to address the needs of the business and Products provided to the Customer. To that end, Company completes a minimum level of business impact analysis, crisis management, business continuity, and disaster recovery planning:

  • Company’ Business Impact Analysis Plan includes, but is not limited to, a systematic review of business functions and their associated processes that identifies dependencies, evaluates potential impact from disruptions; defines recovery time objectives, and improves process understanding improvement, performed annually.
  • Company’ Crisis Management Plan includes, but is not limited to, elements such as event management, plan and team activation, event, and communication process documentation, exercised at least annually.
  • Company’ Business Continuity Plan includes, but is not limited to, elements such location workarounds, application workarounds, vendor workarounds, and staffing workarounds, exercised at minimum annually.
  • Company’ Disaster Recovery Plan includes, but is not limited to, infrastructure, technology, and system(s) details, recovery activities, and identifies the people/teams required for such recovery, exercised at least annually

8.2. Plan Content

Company’ plan documentation under 9.1 addresses actions that Company will take in the event of an extended outage of service. Company ensures that its plans address the actions and resources required to provide for (i) the continuous operation of Company, and (ii) in the event of an interruption, the recovery of the functions required to enable Company to provide the Products, including required systems, hardware, software, resources, personnel, and data supporting these functions.

Data Protection Officer
For any questions or concerns regarding this Data Processing Agreement, data privacy, or the protection of your personal information, you may contact our Data Protection Officer:

Name: Chiranjeevi Tirunagari
Email: [email protected]
Contact: +1 (844) 755 8378