Customer data processing agreement

Version v2 - March 2023

Introduction

This DPA between Customer, and if applicable, Customer’s Affiliates, and TestGorilla contains the legal terms and conditions that apply to the processing of personal data of the Customer, by any of the Services.

1. Scope

This DPA between Customer, and if applicable, Customer’s Affiliates, and TestGorilla contains the legal terms and conditions that apply to the processing of End User Data, which may include personal data, by any of the Services.

2. Definitions

Insofar as not already defined in the Agreement, the following definitions apply throughout this DPA:

Agreement” means TestGorilla’s Terms of Service, the applicable service level agreement, other instructions and policies and applicable ordering documents, unless a separate agreement governing (the use of the) Services exists between the parties.

Data Protection Laws” means data protection laws applicable to TestGorilla in its processing of Customer Personal Data under this DPA, including, where applicable, the GDPR and the CCPA.

DPA” means this Customer Data Processing Agreement.

Customer Personal Data” means Customer data that may be accessed or collected by the Services during the relationship governed by the Agreement, in the form of logs, session data, telemetry, user data, usage data, threat intelligence data, and copies of potentially malicious files detected by the Services. Customer Personal Data may include confidential data and personal data, such as Customer developed tests uploaded by you as part of your use of the Services, the analyzing, screening, assessing, scoring, rating, asserting, evaluation or otherwise qualifying the output of an individual Candidate generated by the Services, hiring outcomes, communications directly between Customer and Candidates, as well as source and destination IP addresses, active directory information, file applications, URLs, file names, and file content.

GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data.

Information Security Measures” the technical and organizational measures for ensuring the security of the processing, as described in the TestGorilla Security measures.

Security Incident” means any unauthorized access to any Customer Personal Data stored on TestGorilla’s equipment or in TestGorilla’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Customer Personal Data that compromises the privacy, security or confidentiality of such Customer Personal Data.

Terms used in this DPA that are specifically defined in the GDPR shall have the same meaning as set forth in the GDPR. Terms used in this DPA that are not specifically defined in the GDPR shall have the same meaning as set forth in the Agreement.

3. Responsibilities of processing personal data as a processor

3.1. To the extent TestGorilla processes personal data on behalf of Customer as a processor (as defined by applicable Data Protection Laws), TestGorilla shall do so only on documented instructions from Customer pursuant to this DPA and the Agreement, to operate the Services, and as permitted or required by applicable law. Such instructions may include the configuration of the Product by the Customer. TestGorilla shall immediately inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.

3.2. Insofar as TestGorilla processes personal data as a processor as defined by applicable Data Protection Laws, the following shall apply:

  • Processing required by law In the event TestGorilla is required by applicable law to process Customer Personal Data, TestGorilla will carry out such processing and notify Customer of such legal requirement, unless such notification is prohibited by applicable law, giving Customer the ability to issue revised instructions or to cease using the Services.

  • Compliance with applicable data protection laws TestGorilla will process Customer Personal Data in accordance with applicable Data Protection Laws and will make available to Customers upon request the information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and other applicable Data Protection Laws.

  • Data subject requests TestGorilla shall provide reasonable assistance to Customer to comply with its obligations with regard to data subject rights under applicable Data Protection Laws, taking into account the nature of the data processing and the information available to TestGorilla. If TestGorilla or any sub-processor receives a request or a complaint from a data subject or its representative regarding Customer Personal Data, including requests regarding the data subject’s rights under applicable Data Protection Laws, TestGorilla will forward the request without undue delay to Customer for handling.

  • Data protection impact assessment Upon Customer’s written request, TestGorilla shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services. TestGorilla shall also provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under applicable Data Protection Laws.

  • Authorized personnel

    TestGorilla shall ensure that authorized personnel who process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, except where required by applicable law, TestGorilla will not share Customer Personal Data with third parties other than with authorized sub-processors.

  • Sub-processors The customer authorizes TestGorilla to engage the sub-processors (identified at Appendix 1 to this agreement) to process Customer Personal Data. In the event TestGorilla engages any new sub-processor, it will:

    •  notify Customer through the support portal within fifteen (15) days of such change to give Customer the opportunity to object to such sub-processing. If Customer objects to a new sub-processor, TestGorilla will then endeavor to offer alternate options for the delivery of the relevant Product that does not involve the new sub-processor, without prejudice to any of Customer’s termination rights;

    • impose appropriate contractual obligations upon the sub-processor that are no less protective than this DPA; and

    • remain responsible and liable for the sub-processor's compliance with this DPA and for any acts or omissions of the sub-processor that cause TestGorilla to breach any of its obligations under this DPA.

  • Cross-border transfers If Customer Personal Data is transferred outside of the European Economic Area or Switzerland, TestGorilla will comply with the European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Customer Personal Data from the European Economic Area and Switzerland. Data transfers will be subject to appropriate safeguards as described in Article 46 of the GDPR. The Standard Contractual Clauses as adopted by the European Commission on 4 June 2021, together with its annexes, are incorporated herein by reference and made a part hereof. As a result of the Schrems II decision, TestGorilla has implemented adequate supplementary technical and organizational security measures. These measures are described in the Information Security Measures. Execution of this DPA shall constitute execution of the Standard Contractual Clauses. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

  • Safeguarding confidentiality and security of personal data TestGorilla has implemented practices and policies to maintain appropriate organizational, physical and technical measures to safeguard the confidentiality and security of Customer Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the rights and freedoms of natural persons, including as appropriate:

    • the pseudonymization, de-identification or encryption of data;

    • the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and

    • a process for regularly testing, assessing and evaluating the effectiveness of TestGorilla’s Information Security Measures.

  • Incident response plan TestGorilla shall implement and maintain an incident response plan that specifies actions, including containment, investigation, reporting, and remediation, to be taken in the event of a Security Incident.

  • Security incident In the event of a Security Incident affecting Customer Personal Data, TestGorilla will, without undue delay: (a) inform the Customer of the Security Incident; (b) investigate and provide the Customer with available detailed information about the Security Incident; and (c) take reasonable steps to mitigate the effects and minimize any damage resulting from the Security Incident as required by applicable Data Protection Laws.

  • Audit TestGorilla shall make available to Customer, upon written request, subject to appropriate confidentiality obligations, a summary copy of applicable third-party audit report(s) or certifications it maintains for its Services (e.g. ISO 27001 or SOC2 Type II standard), so that the Customer can verify TestGorilla’s compliance with this DPA, the audit standards against which it has been assessed, and the standards specified in the Security Measures.

  • Retention and deletion TestGorilla shall process and retain Customer Personal Data no longer than necessary for the purposes for which it is processed. Upon termination of this DPA or the Agreement, TestGorilla shall: (i) delete Customer Personal Data that is no longer necessary to carry out any of the purposes under this DPA or the Agreement; or (ii) upon Customer’s request, provide options to return or erase, destroy, and render unrecoverable the Customer Personal Data, where reasonably possible. This section does not pertain to the personal data of data subjects outside of Customers, such as that of output or test results of an individual Candidate generated by the Platform.

4. Details of customer personal data being processed

  • Subject matter The subject matter of the Processing under this DPA is Customer Personal Data. Any candidate's personal data is explicitly excluded from the subject matter of this DPA.

  • Duration TestGorilla may Process Customer Personal Data under this DPA until the termination or expiration of the Agreement.

  • Purpose The purpose of the Processing of Customer Personal Data under this DPA is to enable TestGorilla to deliver the Services and perform its obligations as set forth in the Agreement (including this DPA) or as otherwise agreed by the Parties in mutually executed written form.

  • Nature of the processing To provide Services as described in the Agreement, TestGorilla will Process Customer Personal Data upon the instruction of the Customer and in accordance with the terms of this DPA, including all applicable Addenda, and the Agreement.

  • Categories of data subjects Customer determines the categories and extent of any Customer Personal Data that it discloses to TestGorilla, which may include without limitation Customer Personal Data relating to the following categories of data subjects:

    • Employees, contractors, consultants, and individuals belonging to Customer, or Customer’s clients’ and partners’ workforce; or

    • Other individuals whose Personal Data is Processed as part of the provision of the Services.

  • Categories of personal data The customer determines the categories of any personal data that it discloses to TestGorilla, which may include without limitation Customer Personal Data relating to the following categories:

    • Identification and contact data (e.g., name, address, phone number, title, email, other contact details);

    • Employment details (e.g., job title, role, manager);

    • Answers to test questions and results of tests IT information (e.g., entitlements, IP addresses, usage data, cookies data, online identifiers);

    • Domain and device information (e.g., hostnames and qualified hostnames);

    • Information contained in logs related to security events identified and captured by Services; and/or

    • Unstructured data was provided to TestGorilla for the purpose of providing support services (e.g., packet capture (PCAP) for file testing).

  • Sensitive data transferred (if applicable) When processing personal data, primarily with forensic investigations Product of which the purpose is to identify the underlying data, TestGorilla may process sensitive personal data. The nature and scope of the sensitive data that is transferred may not be known until after the Processing has taken place and may include: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

  • Frequency The transfer of information between the Parties to facilitate TestGorilla’ Processing on behalf of Customer will occur as needed until the termination of the Agreement.

5. Processing of end-user data

Customers can configure the Services to share and transfer Customer Personal Data. Customer acknowledges, agrees and grants to TestGorilla the right, to the extent permitted by applicable law, to process and retain data, including personal data, relating to a security event, that is shared or transferred by Customer, for the legitimate interest of operating, providing, maintaining, developing, and improving security technologies and services, including for purposes compatible with providing such services.

6. Compliance with laws

The parties shall process personal data in accordance with applicable Data Protection Laws. Customer represents and warrants that its use of the Services, its authorization for TestGorilla’s access to and any related submission of data, including any Customer Personal Data, to TestGorilla, complies with all applicable laws, including those related to data privacy, data security, electronic communication and the export of technical, personal or sensitive data.

7. PCI Compliance

TestGorilla is not a payment processor and as such is not subject to compliance with PCI standards. However, TestGorilla acknowledges that credit card information may be provided by Customer during the performance or use of the Services and therefore TestGorilla shall use information data security controls that are compliant with PCI standards.

8. Limitation of liability

This DPA does not modify TestGorilla’s liability, whether in contract, tort or under any other theory of liability, towards the Customer based on other terms in force between the Customer and TestGorilla.

9. Conflict of terms

In the event of a conflict between the terms of this DPA and other terms in force between the Customer and TestGorilla, the terms of this DPA shall prevail with regard to data processing activities.

Appendix 1 to DPA: List of subprocessors

Subprocessor

Purpose

Country

Amazon Web Services Inc.

Cloud and Data Infrastructure service provider to store customer and candidate data

Ireland (DPA in place)

Hubspot

Customer Data for customer communication (email and chat). Data is limited to name, email, address, page visits, title). No test or assessment data is stored.

USA (DPA in place)

Zendesk

Customer support infrastructure. Personal data is only transmitted to a limited, clearly defined extent (e-mail address, first and last name). No test or assessment data is stored.

USA (DPA in place)

Churnzero

Customer support infrastructure. Personal data is only transmitted to a limited, clearly defined extent (e-mail address, first and last name). No test or assessment data is stored.

EU (DPA in place)

Brevo

Email address and name data only to send emails from application to customer and candidates

France (DPA in place)

Vimeo

Candidate and customer data for video services (data is limited to video data). No test or assessment data is stored.

USA (DPA in place)