Employ, Inc. CPRA Data Processing Addendum

This CPRA Data Processing Addendum (“CDPA”) forms part of the agreement that references this CDPA (the. “Agreement”) by and between and Employ, Inc. (together with its affiliated entities, “Employ”) and Customer. This CDPA shall apply to “Personal Information” of a “Consumer” as defined under the California Privacy Rights Act of 2020 (“CPRA”) (referred to hereafter as “Customer Data”), that Employ processes in the course of providing Customer the Services under the Agreement.

The terms used in this Addendum shall have the meanings set forth in this CDPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. If there is a conflict between any other agreement between the Parties including the Agreement and this CDPA, the terms of this CDPA will control.

This CDPA was last updated May 08, 2024. Employ reserves the right to periodically modify this CDPA upon written notice to Customer, and such modification will automatically become effective in the next Service Term.

1 Effectiveness

1.1 This CDPA will only be effective (as of the Effective Date) if executed and submitted to Employ accurately and in full. If you make any deletions or other revisions to this CDPA, it will be null and void.

1.2 Customer signatory represents to Employ that he or she has the legal authority to bind the Customer and is lawfully able to enter into contracts (e.g., is not a minor).

1.3 This CDPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this CDPA.


2 Data Processing

2.1 Customer’s Role. The Customer is a Business (as such term is defined under the CPRA), and as such Customer determines the purpose and means of processing Customer Data. Customer will provide Customer Data to Employ solely for the purpose of Employ performing the Services.

2.2 Employ’s Role. Employ is a Service Provider (as such term is defined under the CPRA), and as such Employ shall provide the Services and process any Customer Data in accordance with the Agreement. Employ may not retain, use, or disclose Customer Data for any other purpose other than for providing the Services and in performance of the Agreement.

2.3 Data Processing, Transfers and Sales. Employ will process Customer Data only as necessary to perform the Services, and will not, under any circumstances, collect, combine, share, use, retain, access, share, transfer, or otherwise process Customer Data for any purpose not related to providing such Services. Employ will refrain from taking any action that would cause any transfers of Customer Data to or from Employ to qualify as “selling personal information” as that term is defined under the CPRA.

2.4 Sub-Service Providers. Notwithstanding the restrictions in Section 2.3, Customer agrees that Employ may engage other Service Providers (as defined under the CPRA), to assist in providing the Services to Customer (“Sub-Service Providers”). A list of Employ’s Sub-Service Providers can be found at https://www.employinc.com/sub-processors/, provided always that such engagement shall be subject to a written contract binding each such Sub-Service Provider to terms no less onerous than those contained within this CDPA. Employ shall be responsible for all acts or omissions of its Sub-Service Providers as if they were the acts or omissions of Employ.

2.5 Security. Employ will use commercially reasonable security procedures that are reasonably designed to maintain an industry-standard level of security, and prevent unauthorized access to and/or disclosure of Customer Data. An outline of Employ’s minimum security standards can be found at www.employinc.com/security-exhibit/.

2.6 Retention. Employ will retain Customer Data only for as long as the Customer deems it necessary for the permitted purpose, or as required by applicable laws. At the termination of this CDPA, or upon Customer’s written request, Employ will either destroy or return Customer Data to the Customer, unless legal obligations require storage of the Customer Data.

2.7 Consumer Rights Requests. Employ provides Customer with tools to enable Customer to respond to a Consumer Rights’ requests to exercise their rights under the Data Protection Laws. To the extent Customer is unable to respond to Data Subject’s request using these tools, Employ will provide reasonable assistance to the Customer in responding to the request.

2.8 Assistance with Consumers’ Rights Requests. If Employ, directly or indirectly, receives a request submitted by a Consumer to exercise a right it has under the CCPA in relation to that Consumer’s Customer Data, it will provide a copy of the request to the Customer. The Customer will be responsible for handling and communicating with Consumers in relation to such requests.


3 Assessments & Third-Party Certifications

3.1 Impact Assessment Assistance. Taking into account the nature of the Processing and the information available, Employ will provide assistance to Customer in complying with its obligations under Applicable Law (inclusive) (which address obligations with regard to security, breach notifications, data risk assessments, and prior consultation). Upon request, Employ will provide Customer a list of processing operations.

3.2 Certification/SOC Report. In addition to the information contained in this CDPA, upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement place, Employ will make available the following documents and information regarding the System and Organization Controls (SOC) 2 Report (or the reports or other documentation describing the controls implemented by Employ that replace or are substantially equivalent to the SOC 2), so that Customer can reasonably verify Employ’s compliance with its obligations under this CDPA.

3.3 If Customer has reasonable cause to suspect that Employ is not providing the platform in a manner consistent with CPRA and allowing unauthorized use of personal information, Customer may (i) submit an inquiry to privacy@employinc.com, (ii) cease use of their license until they are able to confirm Employ’s compliance, or (iii) with evidence of non-compliance of CPRA terminate the Agreement between the parties.


4 Enforceability. Any provision of this CDPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. The parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall then incorporate such substitute provision into this CDPA.

5 Liability. To the extent permitted by applicable laws, liability arising from claims under this CDPA will be subject to the terms of the Agreement.

6 Signatures. Facsimile or scanned signatures and signed facsimile or scanned copies of this CDPA shall legally bind the parties to the same extent as originals. This CDPA is executed, accepted and agreed by the authorized representative party from Employ and Customer as of the Effective Date per above.