Data Processing Addendum

This Data Processing Addendum (“DPA”) sets forth the terms and conditions relating to the privacy and protection of Personal Information (as defined below) associated with Services rendered by Paradox to Client pursuant to any agreement entered into by Paradox and Client that expressly incorporates this DPA by reference (the “Agreement”).  Except as modified below, the terms of the Agreement shall remain in full force and effect.  In the event of any dispute or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall control. Capitalized terms used but not defined herein shall have the meaning set forth in the Agreement.

The following definitions are for purposes of this DPA:

1.1 “Data Protection Laws” shall mean all laws and regulations in any country, state or locality in the world related to the treatment of Personal Information, including, without limitation, the collection, use, storage, handling, Processing and/or transfer of Personal Information, in each case, to the extent applicable to the relevant party in the enjoyment of its rights or performance of its obligations pursuant to the Agreement. Data Protection Laws include, without limitation, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act when in force, and as may be further amended or replaced from time to time including applicable regulations (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Utah Consumer Privacy Act (“UCPA”), Section 5(a) of the Federal Trade Commission Act (15 U.S.C. § 45), and all other state or federal legislation amending or superseding the foregoing that may occur from time to time.

1.2 “Personal Information” means any information relating to (i) an identified or identifiable natural person and, (ii) “personal information”, “personal data”, “special categories of personal data”, “sensitive personal data” and similar terms shall have the meanings and otherwise be interpreted in accordance with the applicable Data Protection Laws.

1.3 “Process” or “Processing” means any operation or set of operations which is performed on Personal Information, or on sets of Personal Information, whether or not by automated means.

1.4 The terms “Business”, “Business Purpose”, “Collect”, “Commercial Purpose”, “Consumer”, “Contractor”, “Deidentified”, “Person”, “Sell”, “Service Provider”, and “Share” shall have the meanings and otherwise be interpreted in accordance with the applicable Data Protection Laws, and any cognate terms shall be construed accordingly.

2.1 Each party shall comply with Data Protection Laws and shall require that any of its Representatives with whom it shares Personal Information will be subject to privacy and confidentiality terms materially consistent with those in this DPA.

2.2 Client shall, in its use of the Services, Process Personal Information in accordance with the requirements of Data Protection Laws, including any applicable requirements to provide notice, obtain consent, and/or respond to data subjects regarding the use of the Services. For the avoidance of doubt, Client’s instructions for the Processing of Personal Information shall comply with Data Protection Laws. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Information and the means by which Client acquired Personal Information. Client specifically acknowledges that its use of the Service will not violate the rights of any Data Subject that has opted-out from Sales, Sharing or other disclosures of Client Personal Information, to the extent applicable under the Data Protection Laws.

2.3 Paradox will comply with Data Protection Laws in the Processing of Client Personal Information and provide the same level of privacy protection as is required of Businesses under the CCPA and other applicable Data Protection Laws.

2.4 Paradox will notify Client promptly if it makes a determination that it can no longer meet its obligation under the DPA or any Data Protection Laws.

2.5 Client has the right to take reasonable and appropriate steps to help ensure that Paradox (including any Supplier or Subprocessor) uses the Client Personal Information in a manner consistent with Paradox’s obligations under Data Protection Laws. 

2.6 To the extent Paradox will be Processing the Personal Information of individuals outside of the United States in its provision of the Services, Client may request that Paradox provide copy of its Global Data Privacy Addendum (“GDPA”) by emailing privacy@paradox.ai

3.1 Paradox shall only Process Client Personal Information as instructed by Client, including as set out in the Agreement, and as permitted by Data Protection Laws.

3.2 All Client Personal Information disclosed by Client to Paradox, or that Paradox receives or Processes on Client’s behalf, is disclosed or received only for limited and specified purposes, including for one or more Business Purposes as that term is defined under the US Data Protection Laws, including, without limitation, provision of recruiting and human capital management SaaS and associated professional services.

3.3 To the extent that Client otherwise discloses to Paradox any Client Personal Information for a Business Purpose and any other applicable Data Protection Laws, Paradox is prohibited from (i) Selling and Sharing Client Personal Information; (ii) retaining, using, or disclosing the Client Personal Information that Paradox Collected pursuant to the Agreement with Client (a) for any Commercial Purpose other than the Business Purposes specified in the Agreement unless expressly permitted by Data Protection Laws and (b) outside the direct business relationship between Paradox and Client, unless expressly permitted by Data Protection Laws. For example, Paradox shall be prohibited from combining or updating Client Personal Information that it Collected pursuant to the Agreement with the Client with Personal Information that it received from another source or Collected from its own interaction with the Consumer, unless expressly permitted by Data Protection Laws.

3.4 To the extent Paradox is considered a Contractor, Paradox certifies it understands the restrictions and conditions in Sections 3.2-3.3 and will comply with them.

3.5 If Client provides Paradox with Deidentified Client Personal Information, or if Paradox Deidentifies Client Personal Information previously provided by Client, Paradox agrees to (i) take reasonable measures to ensure that the Client Personal Information cannot be associated with a consumer or under the CCPA, household, (ii) publicly commit to maintaining such Client Personal Information in its Deidentified form, (iii) not attempt to reidentify the Client Personal Information, and (iv) contractually obligate any recipients of the Deidentified Client Personal Information to comply with equivalent requirements.

4.1 Paradox shall adhere to the instructions of Client and shall assist the Client in meeting its obligations under Data Protection Laws. Such assistance may include, at Client’s direction: (i) taking into account the nature of processing and the information available to Paradox, by appropriate technical and organizational measures, insofar as this is reasonably practicable, (a) fulfilling the Client's obligation to respond to Consumer rights requests pursuant to Data Protection Laws and (b) assisting the Client in meeting the Client's obligations in relation to the security of Processing the Personal Information and in relation to the notification of a breach of security of the system of Paradox pursuant to applicable law in order to meet the Client’s obligations.

4.2 If Client Collects a Consumer's Personal Information, it shall implement reasonable security procedures and practices appropriate to the nature of the Personal Information to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with applicable law.

4.3 Each party shall notify the other if there has been, or reasonably believes there has been, any breach of security involving Personal Information of Client or Paradox without undue delay and shall cooperate with each other in good faith to promptly respond to and use commercially reasonable measures to mitigate adverse effects on Consumers and provide any notification to Consumers and/or government authorities all as required by Data Protection Laws.

4.4 Client shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Information. For example, Client may require that Paradox provide documentation that verifies that Paradox no longer retains or uses the Personal Information of Consumers who have made a valid request to delete with the Client.

4.5 Depending on the features and functionality of the Services and the agreement between the parties, Client shall either: (i) direct Paradox to enable Client to comply with Consumer requests made pursuant to Data Protection Laws or (ii) inform Paradox of any Consumer request made pursuant to Data Protection Laws that Client must comply with and provide the information necessary for Paradox to comply with the request. 

4.6 Upon the reasonable request of the Client, Paradox will make available to Client information in its possession necessary to demonstrate Paradox’s compliance with its obligations under Data Protection Laws. Paradox may arrange for a qualified and independent assessor to conduct an assessment of its policies and technical and organizational measures in support of the obligations under Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Paradox shall provide a report of such assessment to the Client upon request. Such audits shall be conducted upon reasonable, advance written notice, during normal business hours, during the term of the Agreement.

5.1 Client has instructed and authorized the use of Subprocessors to assist Paradox in the performance of its obligations under the Agreement and a current list of Paradox Subprocessors is available at https://www.paradox.ai/legal/subprocessors (as updated by Paradox from time-to-time) (the “Sub-processor List”). The Parties agree that Paradox may provide notice of a new Subprocessor by adding such a new Subprocessor to the Subprocessor List at least thirty (30) days prior to sharing any Client Personal Information with such Subprocessor. Client may: (i) subscribe to receive email updates of any new Subprocessor at the web page where the Subprocessor list is located; and (ii) object on reasonable grounds to a new Subprocessor by emailing Paradox at privacy@paradox.ai within thirty (30) days of the new Subprocessor being added to the Subprocessor List. If Paradox and Client are unable to resolve Client's concerns within thirty (30) days after receipt of such email, then Paradox or Client may terminate the relevant processing of any Client Personal Information.

6.1 After conclusion of the provision of services, or at the earlier request of Client, Paradox, shall, at Client’s direction, either securely delete or return to Client, the Client Personal Information Collected and Processed under this DPA, unless any applicable legal provision requires further Processing of the Client Personal Information.

IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement with effect from the date signed below.