Data processing agreement
This Data Processing Agreement, including Appendices, (“DPA”) is incorporated into and forms part of the Agreement between Customer and Testlify, Inc. (hereafter “Testlify”).
Scope
This DPA between Customer, and if applicable, Customer’s Affiliates, and Testlify contains the legal terms and conditions that apply to the processing of End User Data, which may include personal data, by any of the Services.
Definitions
The following definitions apply throughout this DPA:
- “Agreement” means Testlify End User Agreement, unless a separate agreement governing the use of the Services exists between the parties.
- “Data protection laws” means data protection laws applicable to Testlify in its processing of personal data under this DPA, including, where applicable, the GDPR and the CCPA.
- “DPA” means this Customer Data Processing Agreement.
- “End user data” means data that may be accessed or collected by the Services during the relationship governed by the Agreement, in the form of logs, session data, telemetry, user data, usage data, threat intelligence data, and copies of potentially malicious files detected by the Product. End User Data may include confidential data and personal data, such as source and destination IP addresses, active directory information, file applications, URLs, file names, and file content.
- “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- “Information security measures” the technical and organizational measures for ensuring the security of the processing.
- “Security incident” means any unauthorized access to any End User Data stored on Testlify’s equipment or in Testlify’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of End User Data that compromises the privacy, security or confidentiality of such End User Data.
Terms used in this DPA that are specifically defined in the GDPR shall have the same meaning as set forth in the GDPR. Terms used in this DPA that are not specifically defined in the GDPR shall have the same meaning as set forth in the Agreement.
Responsibilities of processing personal data as a processor
To the extent Testlify processes personal data on behalf of Customer as a processor (as defined by applicable Data Protection Laws), Testlify shall do so only on documented instructions from Customer pursuant to this DPA and the Agreement, to operate the Services, and as permitted or required by applicable law. Such instructions may include the configuration of the Product by the Customer. Testlify shall immediately inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.
- Testlify processes personal data as a processor as defined by applicable Data Protection Laws, the following shall apply:
- Processing required by law. In the event Testlify is required by the applicable law to process Customer personal data, Testlify will carry out such processing and notify Customer of such legal requirement, unless such notification is prohibited by applicable law, giving Customer the ability to issue revised instructions or to cease using the Services.
- Compliance with applicable data protection laws. Testlify will process Customer personal data in accordance with applicable Data Protection Laws and will make available to Customer upon request the information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and other applicable Data Protection Laws.
- Data subject requests. Testlify shall provide reasonable assistance to Customer to comply with its obligations with regard to data subject rights under applicable Data Protection Laws, taking into account the nature of the data processing and the information available to Testlify. If Testlify or any sub-processor receives a request or a complaint from a data subject or its representative, including requests regarding the data subject’s rights under applicable Data Protection Laws, Testlify will forward the request without undue delay to Customer for handling unless Testlify is required by law to address that request. The Customer hereby authorizes Testlify to share the test data provided by a data subject with this data subject in case the latter requests such data from Testlify directly.
- Data protection impact assessment. Upon Customer’s written request, Testlify shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services. Testlify shall also provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under applicable Data Protection Laws.
- Authorized personnel. Testlify shall ensure that authorized personnel who process Customer personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, except where required by applicable law, Testlify will not share Customer personal data with third parties other than with authorized sub- processors.
- Sub-processors. Customer authorizes Testlify to engage the sub-processors (identified at Appendix 1 to this agreement) to process personal data. In the event Testlify engages any new sub-processor, it will:
- Notify Customer through the support portal within fifteen (15) days of such change to give Customer the opportunity to object to such sub-processing. If Customer objects to a new sub-processor, Testlify will then endeavor to offer alternate options for the delivery of the relevant Product that does not involve the new sub-processor, without prejudice to any of Customer’s termination rights;
- Impose appropriate contractual obligations upon the sub-processor that are no less protective than this DPA; and
- Remain responsible and liable for the sub-processor’s compliance with this DPA and for any acts or omissions of the sub-processor that cause Testlify to breach any of its obligations under this DPA.
- Cross-border transfers. If Customer personal data is transferred outside of the European Economic Area or Switzerland, Testlify will comply with the European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of personal data from the European Economic Area and Switzerland. Data transfers will be subject to appropriate safeguards as described in Article 46 of the GDPR. The Standard Contractual Clauses as adopted by the European Commission on 4 June 2021, together with its annexes, are incorporated herein by reference and made a part hereof. As a result of the Schrems II decision Testlify has implemented adequate supplementary technical and organizational security measures. These measures are described in the Information Security Measures. Execution of this DPA shall constitute execution of the Standard Contractual Clauses. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- Safeguarding confidentiality and security of personal data. Testlify has implemented practices and policies to maintain appropriate organizational, physical, and technical measures to safeguard the confidentiality and security of Customer personal data, taking into account state of the art, the costs of implementation, the nature, scope, context, and purposes of processing as well as the rights and freedoms of natural persons, including as appropriate:
- the pseudonymization, de-identification, or encryption of data;
- the ability to restore the availability and access to Customer personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing, and evaluating the effectiveness of Testlify’s Information Security Measures.
- Incident response plan. Testlify shall implement and maintain an incident response plan that specifies actions, including containment, investigation, reporting, and remediation, to be taken in the event of a Security Incident.
- Security incident. In the event of a Security Incident affecting Customer personal data, Testlify will, without undue delay: (a) inform the Customer of the Security Incident; (b) investigate and provide the Customer with available detailed information about the Security Incident; and (c) take reasonable steps to mitigate the effects and minimize any damage resulting from the Security Incident as required by applicable Data Protection Laws.
- Audit. Testlify shall make available to Customer, upon written request, subject to appropriate confidentiality obligations, a summary copy of applicable third-party audit report(s) or certifications it maintains for its Services so that the Customer can verify Testlify’s compliance with this DPA, the audit standards against which it has been assessed, and the standards specified in the Security Measures.
- Retention and deletion. Testlify shall process and retain Customer personal data no longer than necessary for the purposes for which it is processed. Upon termination of this DPA or the Agreement, Testlify shall: (i) delete Customer personal data that is no longer necessary to carry out any of the purposes under this DPA or the Agreement; or (ii) upon Customer’s request, provide options to return or erase, destroy, and render unrecoverable the Customer personal data, where reasonably possible. This section does not pertain to the personal data of data subjects outside of Customers, such as that of test results.
Details of personal data being processed
- Subject matter: The subject matter of the Processing under this DPA is Customer Personal Information.
- Duration: Testlify may Process Customer Personal Information under this DPA until the termination or expiration of the Agreement.
- Purpose: The purpose of the Processing of Customer Personal Information under this DPA is to enable Testlify to deliver the Services and perform its obligations as set forth in the Agreement (including this DPA) or as otherwise agreed by the Parties in mutually executed written form.
- Nature of the processing: To provide Services as described in the Agreement, Testlify will Process Customer Personal Information upon the instruction of Customer and in accordance with the terms of this DPA, including all applicable Addenda, and the Agreement.
- Categories of data subjects: Customer determines the categories and extent of any Customer Personal Information that it discloses to Testlify, which may include without limitation Customer Personal Information relating to the following categories of data subjects:
- Employees, contractors, consultants, and individuals belonging to Customer, or Customer’s clients’ and partners’ workforce; or
- Candidates applying to a Customer open job position
- Other individuals whose Personal Information is Processed as part of the provision of the Services.
- Categories of personal information: Customer determines the categories of any Personal Information that it discloses to Testlify, which may include without limitation Customer Personal Information relating to the following categories:
- Identification and contact data (e.g., name, address, phone number, title, email, other contact details);
- Employment details (e.g., job title, role, manager);
- Answers to test questions and results of tests
- Additional data points processed, including but not limited to snapshots of user activity, screen recordings during assessments, geolocation data, and any other relevant user or session data captured during interactions with the platform.
- IT information (e.g., entitlements, IP addresses, usage data, cookies data, online identifiers);
- Domain and device information (e.g., hostnames and qualified hostnames);
- Information contained in logs related to security events identified and captured by Services; and/or
- Unstructured data provided to Testlify for the purpose of providing support services (e.g., packet capture (PCAP) for file testing).
- Sensitive data transferred (if applicable): When Processing Personal Information, primarily with forensic investigations Product of which the purpose is to identify the underlying data, Testlify may process sensitive Personal Information. The nature and scope of the sensitive data that is transferred may not be known until after the Processing has taken place and may include: Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Frequency: The transfer of information between the Parties to facilitate Testlify’ Processing on behalf of Customer will occur as needed until the termination of the Agreement.
Processing of end user data
Customer can configure the Services to share and transfer End User Data (as described in the applicable Product documentation). Customer acknowledges, agrees and grants to Testlify the right, to the extent permitted by applicable law, to process and retain data, including personal data, relating to a security event, that is shared or transferred by Customer, for the legitimate interest of operating, providing, maintaining, developing, and improving security technologies and services, including for purposes compatible with providing such services.
Compliance with laws
The parties shall process personal data in accordance with applicable Data Protection Laws. Customer represents and warrants that its use of the Services, its authorization for Testlify’ access to and any related submission of data, including any Customer personal data, to Testlify, complies with all applicable laws, including those related to data privacy, data security, electronic communication and the export of technical, personal or sensitive data.
PCI compliance
Testlify is not a payment processor and as such is not subject to compliance with PCI standards. However, Testlify acknowledges that credit card information may be provided by Customer during the performance or use of the Services and therefore Testlify shall use information data security controls that are compliant with PCI standards.
Limitation of liability
This DPA does not modify Testlify’ liability, whether in contract, tort or under any other theory of liability, towards the Customer based on other terms in force between the Customer and Testlify.
Conflict of terms
In the event of a conflict between the terms of this DPA and other terms in force between the Customer and Testlify, the terms of this DPA shall prevail with regard to data processing activities.
Appendix 1 to DPA: List of Subprocessors
Serial No. | Subprocessor | Data Description |
1. | AWS | Customer and candidate data |
2. | Hubspot | Customer Data for Customer Relationship Management application (CRM) |
3. | OpenReplay | Recording sessions |
4. | Twilio SendGrid | Email and customer data |
5. | ChargeBee | Subscription and financial data |
6. | MixPanel | Customer and candidate usage data |
7. | Intercom | Customer and Candidate data to deliver support |
8. | Sentry | Capturing Error Logs |
9. | Here | Location tracking of candidates |
10. | Merge | ATS Integration |
11. | Advertisement and website performance data | |
12. | Ipfy | IP address validation of candidates |
13. | MongoDB Atlas | Storing and Retrieving Data |
14. | Azure | Hosting and Security |
15. | GCP | Google Cloud Storage for data and encryption |