Data Processing Addendum

Last updated and effective as of March 4, 2023 (the “DPA Effective Date”).

This Data Processing Addendum (“DPA”), forms part of the Partnership Agreement or other agreement or terms of service (in each case, the “Agreement”) between Adept ID, Inc. (“Company”) and the entity that has engaged Company to provide the Services (“Partner”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. Each of Company and Partner is referred to in this DPA individually as a “party”, collectively the “parties”. By entering into the Agreement, the parties are deemed to have signed all Exhibits, Attachments, Annexes, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.

  1. Definitions.
    • a. “CPRA” means (to the extent applicable) the California Privacy Rights Act of 2020, together with any regulations promulgated thereunder.
    • b. “DPA Data” means any Partner Data (to the extent such term is defined in the Agreement) and any information Processed by Company solely on behalf of Partner, including without limitation any EU Personal Data, UK Personal Data, and/or California Personal Data.
    • c. “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.
    • d. “GDPR” means the General Data Protection Regulation (EU) 2016/679.
    • e. “Personal Data” means any information relating to any identified or identifiable individual or household.
    • f. “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    • g. “Services” means the services provided to Partner by or on behalf of Company under the Agreement, including the Service and any Professional Services.
    • h. “UK” means the United Kingdom.
    • i. “UK Data Protection Laws” means UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).
    • j. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.
  1. To the extent Company Processes Personal Data regulated by the GDPR solely on behalf of Partner (“EU Personal Data”), and to the extent Partner is a controller (as defined in the GDPR) and the Company is a processor (as defined in the GDPR) on behalf of Partner with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Partner to Company and to Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, except as set forth in Exhibit A. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
  2. To the extent Company Processes EU Personal Data, and to the extent Partner is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and the Company is a processor on behalf of Partner with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Partner to Company and to the Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, except as set forth in Exhibit B. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
  3. To the extent Company Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Partner (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media/for-organisations/documents/4019535/addendum-international-data-transfer.docx (the “UK Data Exhibit”) will apply to the transfer of such UK Personal Data by Partner to Company and to the Company’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK Data Exhibit, which is hereby incorporated into the Agreement in its entirety and as set forth in Exhibit C. In the event of a conflict between the Agreement and the UK Data Exhibit, the UK Data Exhibit will control to the extent applicable to the UK Personal Data.
  4. To the extent Partner makes available to Company Personal Data regulated by the CPRA for a business purpose pursuant to the Agreement and/or to the extent Company Processes Personal Data regulated by the CPRA solely on behalf of Partner (collectively, “California Personal Data”), then to the extent required by the CPRA, the California Data Exhibit (attached hereto as Exhibit D, the “California Data Exhibit”) will apply to the Company’s Processing of such California Personal Data and the parties hereby agree to comply with such California Data Exhibit, which is hereby incorporated into the Agreement in its entirety. In the event of a conflict between the Agreement and the California Data Exhibit, the California Data Exhibit will control to the extent applicable to the California Personal Data.
  5. Partner represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all DPA Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Company to lawfully Process DPA Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the DPA Data available to Company under the Agreement and this DPA; and (iii) Company’s Processing of the DPA Data in accordance with the Agreement, this DPA, and/or Partner’s instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Partner shall indemnify, defend and hold Company harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Partner’s violation of this Section 6. Notwithstanding anything to the contrary in the Agreement, Partner’s indemnification obligations under this Section 6 shall not be subject to any limitations of liability set forth in the Agreement.
  6. Notwithstanding anything to the contrary in the Agreement (including this DPA), Partner acknowledges that Company shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the European Data Protection Laws), then, to the extent Company is subject to the European Data Protection Laws as a controller (as defined in the European Data Protection Laws), Company is the controller (as defined in the European Data Protection Laws) of such data and accordingly shall Process such data in accordance with the European Data Protection Laws. To the extent any such data is considered personal information (as defined in, and regulated by, the CPRA), then, to the extent Company is subject to the CPRA as a business (as defined in the CPRA), Company is the business (as defined in the CPRA) with respect to such data and accordingly shall Process such data in accordance with the CPRA.
  7. This DPA (together with the Agreement), constitutes the entire agreement between the parties and supersedes all prior undertakings and agreements between the parties, whether written or oral, with respect to the subject matter of this DPA. Company reserves the right, in its sole discretion, to change, modify, replace, add to, supplement or delete any terms and conditions of this DPA at any time by posting an updated version of this DPA on this webpage.
  8. In this DPA, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by the Agreement; (iii) reference to any gender includes each other gender; (iv) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (vi) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; (vii) “including” (including grammatically inflected forms thereof) means including without limiting the generality of any description preceding such term; (viii) all references to “days” refer to calendar days; and (ix) the word “or” is not exclusive. This DPA has been executed in English and the English language version shall control notwithstanding any translations of this DPA.

Exhibit A
MODULE 2 – CONTROLLER TO PROCESSOR
STANDARD CONTRACTUAL CLAUSES

(a) For the purposes of the Controller to Processor Standard Contractual Clauses:

  • (1) Clause 7. The parties agree that the optional language in Clause 7 is included.
  • (2) Clause 9(a). The parties agree that under Option 2, Company has Partner’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Company will inform Partner in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
  • (3) Clause 11. The parties agree that the optional language in Clause 11 is excluded.
  • (4) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
  • (5) Clause 17. The Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
  • (6) Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
  • (7) Annex I.A.
    • i. The name, address, and the name and contact details of the contact person of Partner (which is the data exporter) are as set forth in the Agreement.
    • ii. The name, address, and the name and contact details of the contact person of Company (which is the data importer) are as follows:
      • Name: Adept ID, Inc.
        Address: 184 High Street, Suite 602, Boston, MA 02110
        Attn: Fernando Rodriguez-Villa, CEO and President; [email protected]
    • iii. The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
      iv. The signature and date are the signature and date set forth in the Agreement.
      v. The roles of the parties are as follows: Company is a processor and Partner is a controller.
  • (8) Annex I.B.
    • i. The categories of data subject are individuals associated with Partner whose information may be made available by or on behalf of Partner to Company, which may be through Partner’s Applicant Tracking System or Human Resource Information System, and/or uploaded by or on behalf of Partner to the Services, or which may be through the completion of surveys distributed by Company at the direction and on behalf of Partner, such as applicants, personnel, enrolled learners, and alumni/graduated learners.
    • ii. The categories of personal data transferred are determined by Partner in its sole discretion and may include, but are not limited to:
      • Unique ID; current and previous job role and description (including dates of employment); prior work history (including job title); resume; demographic data (including gender, race/ethnicity, and education); interview, offer, and hiring decisions; geography (city/state/zip code); and any personal data included within any survey.
    • iii. The categories of sensitive personal data are, to the extent applicable, any sensitive data that Partner in its sole discretion makes available to Company or requests applicants and employees to submit, such as race and ethnicity, and any other sensitive personal data provided by individuals associated with Partner as part of the survey responses submitted through the Services.
    • iv. The frequency of the transfer shall be on a continuous basis.
    • v. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
    • vi. The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
    • vii. The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses).
    • viii. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
  • (9) Annex I.C.
    • i. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
  • (10) Annex II.
    • i. Company adheres to the SOC 2, Type II controls with respect to EU Personal Data. Company’s SOC 2 report will be provided upon written request.
  • (11) Annex III.

Exhibit B

MODULE 3 – PROCESSOR TO PROCESSOR
STANDARD CONTRACTUAL CLAUSES

  • (a) For the purposes of the Processor to Processor Standard Contractual Clauses:
    • (1) Clause 7. The parties agree that the optional language in Clause 7 is included.
    • (2) Clause 9(a). The parties agree that under Option 2, Company has Partner’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Company will inform Partner in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
    • (3) Clause 11. The parties agree that the optional language in Clause 11 is excluded.
    • (4) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
    • (5) Clause 17. The Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
    • (6) Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
    • (7) Annex I.A.
      • i. The name, address, and the name and contact details of the contact person of Partner (which is the data exporter) are as set forth in the Agreement.
      • ii. The name, address, and the name and contact details of the contact person of Company (which is the data importer) are as follows:
        • Name: Adept ID, Inc.
          Address: 184 High Street, Suite 602, Boston, MA 02110
          Fernando Rodriguez-Villa, CEO and President; [email protected]
      • iii. The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
      • iv. The signature and date are the signature and date set forth in the Agreement.
      • v. The roles of the parties are as follows: Company is a processor and Partner is a processor.
    • (8) Annex I.B.
      • i. The categories of data subject are individuals associated with the entity who has engaged Partner whose information may be made available by or on behalf of Partner to Company, which may be through such entity’s Applicant Tracking System or Human Resource Information System and/or uploaded by such entity or Partner to the Services, or which may be through the completion of surveys distributed by Company at the direction and on behalf of Partner, such as applicants, personnel, enrolled learners, and alumni/graduated learners.
      • ii. The categories of personal data transferred are determined by Partner in its sole discretion (as between the Partner and Company) and may include, but are not limited to:
        • Unique ID; current and previous job role and description (including dates of employment); prior work history (including job title); resume; demographic data (including gender, race/ethnicity, and education); interview, offer, and hiring decisions; geography (city/state/zip code); and any personal data included within any survey.
      • iii. The categories of sensitive personal data are, to the extent applicable, any sensitive data that Partner in its sole discretion (as between the Partner and Company) makes available to Company or requests applicants and employees to submit, such as race and ethnicity, and any other sensitive personal data provided by individuals associated with the entity who has engaged Partner as part of the survey responses submitted through the Service.
      • iv. The frequency of the transfer shall be on a continuous basis.
      • v. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
      • vi. The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
      • vii. The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses).
      • viii. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
    • (9) Annex I.C.
      • i. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
    • (10) Annex II.
      • i. Section (a)(10)(i) of Exhibit A is incorporated herein by reference.
    • (11) Annex III.
      • i. Section (a)(11)(i) of Exhibit A is incorporated herein by reference.

Exhibit C
UK DATA EXHIBIT

  • (a) For the purposes of the UK Data Exhibit:
    • (1) For the purposes of Table 1 of the UK Data Exhibit, the start date shall be the later of the DPA Effective Date or the date the Agreement is entered into by the parties, and the names of the parties, their roles and their details shall be as set out in Exhibit A Section (a)(7) and Exhibit B Section (a)(7), respectively;
    • (2) For the purposes of Tables 2 and 3 of the UK Data Exhibit, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Exhibit A Section (a)(8), (10), and (11)(i) and Exhibit B Section (a)(8), (10), and (11)(i), respectively, shall apply; and
    • (3) For the purposes of Table 4 of the UK Data Exhibit, either party may end the UK Data Exhibit.

Exhibit D

California Data Exhibit

  1. This California Data Exhibit (this “Exhibit”), forms part of the DPA. Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the DPA or the Agreement (as applicable).
  2. CPRA Provisions.
    • a. In this Exhibit, the following terms have the meanings given in the CPRA: “business purpose”, “personal information”, “processing”, “service provider”, “contractor”, “person”, “share”, “sharing”, “shared”, “sell”, “selling”, “sale” and “sold”.
    • b. Except as otherwise required by applicable law, Company shall:
      • i. not sell or share California Personal Data;
      • ii. not retain, use, or disclose California Personal Data for any purpose other than for the business purposes specified in the Agreement for the Partner, nor retain, use, or disclose California Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CPRA;
      • iii. not retain, use, or disclose California Personal Data outside of the direct business relationship between the parties;
      • iv. not combine California Personal Data, which Company receives pursuant to the Agreement or from or on behalf of Partner, with personal information which it receives from or on behalf of another person or persons, or collects from its own interaction with the individual to whom such California Personal Data relates, except as otherwise expressly permitted by the CPRA;
      • v. reasonably cooperate with Partner in responding to any requests from any individual regarding California Personal Data relating to such individual, including reasonably assisting Partner in deletion, correction, or limitation of the use of such California Personal Data where required under the CPRA, and including instructing Company’s service providers and/or contractors (if any) to so reasonably cooperate in such response;
        vi. reasonably assist Partner through appropriate technical and organizational measures in Partner’s complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100 of the CPRA, taking into account the nature of the California Personal Data processing by Company;
      • vii. implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the California Personal Data intended to protect such California Personal Data from unauthorized access, destruction, use, modification, or disclosure;
      • viii. comply with all applicable obligations under the CPRA and provide the same level of privacy protection with respect to California Personal Data as required by the CPRA; and
      • ix. notify Partner if Company determines it can no longer meet its obligations under the CPRA.
      • To the extent Company is a contractor, Company certifies that Company understands the restrictions provided in Sections 2(b)(i), 2(b)(ii), 2(b)(iii), and 2(b)(iv) and will comply with them.
  • c. Company acknowledges and agrees that the California Personal Data has been disclosed to it for the limited and specified purposes set forth in the Agreement and Company further acknowledges and agrees Partner shall have the right: (i) to take reasonable and appropriate steps to ensure that Company uses California Personal Data in a manner consistent with Partner’s obligations under the CPRA; and (ii) upon notice from Partner to Company, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Data.
  • d. To the extent required by the CPRA and to the extent Company is a contractor, Company shall permit, subject to agreement of the parties, Partner to monitor Company’s compliance with this Exhibit through measures, including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing once every twelve (12) months (each, an “Audit”), upon reasonable prior notice from Partner, provided that no third-party auditor (each an “Auditor”) shall be a competitor of Company, nor shall any Auditor be compensated on a contingency basis, and provided further that in no event shall Partner have access to the information of any other client of Company and the disclosures made pursuant to this Section 2(d) (“Audit Information”) shall be held in confidence as Company’s confidential information and subject to any confidentiality obligations in the Agreement, and provided further that no Audit shall be undertaken unless or until Partner has requested, and Company has provided, information about Company’s data protection practices and Partner reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this Exhibit. Without limiting the generality of any provision in the Agreement, Partner shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information and in any event, not less than a reasonable degree of care under the circumstances, and Partner shall be liable for any improper disclosure or use of Audit Information by Partner or its agents.
  • e. If Company engages any other person to assist Company in processing California Personal Data for a business purpose on behalf of Partner, Company shall notify Partner of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe substantially similar requirements to those set forth in this Exhibit. Company hereby notifies Partner that Company may engage the persons listed in Section (a)(11)(i) of Exhibit A to this DPA to assist Company in processing California Personal Data for a business purpose on behalf of Partner.