Version 1.02

"21" June 2023

This Data Processing Agreement (“DPA”) together with the General Terms and Conditions (“GTCs”), the master agreement and the JCA globus.ai/jca, accepted by the Customer, constitute legally binding commitment between Globus AI AS («Processor») and it’s customer(“Controller”), effective from the date the MSA is signed, unless the parties thereto have agreed to the opposite in writing.

The latest version of this DPA is available at globus.ai/dpa. Globus AI may amend this DPA and inform the Customer thereof. Such amendments shall apply beginning ten (10) days from the date of posting it on globus.ai/dpa. Notwithstanding anything to the contrary, the Processor will not change the technical or organisational measures which will reduce the level of security without informing the Controller.

Purpose

This agreement sets out the rights and obligations of the Globus AI AS Processor’s processing personal data on behalf of the Controller pursuant to the GTCs. This agreement (“DPA”) shall ensure that the processing meets the standard of the General Data Protection Regulation (GDPR),as well as any supplemental Norwegian data protection regulations.

1. The data Processor’s duties

1.1. The Processor shall:

a. Only process personal data in accordance with documented instructions of the Controller. The Processor shall notify the Controller if any of the instructions are in violations of GDPR or any other applicable data protection regulations. The Processor shall also notify the Controller if the Processor is required by mandatory law to process personal data contrary to the Controllers instructions;

b. Ensure that employees and sub-processors or other third parties authorised to process personal data on behalf of the Processor in accordance with Section 4 are subject to obligations of confidentiality;

c. Implement appropriate technical and organisational measures required pursuant to Article 32 of the GDPR. The data security measures are described in Appendix 2;

d. Ensure that any sub-processors processing personal data on behalf of the Processor have entered into a binding agreement with the Processor pursuant to Article 28(2) and (4) of the GDPR;

e. Notify the Controller if personal data are to be transferred outside the EEA and ensure that the personal data are adequately protected by EU model clauses or other basis for transfer pursuant to the GDPR

f. At the request of the Controller within a reasonable period of time make all information necessary to document that the Processor fulfills Article 28 of the GDPR available. The Processor shall enable the Controller to perform audits and inspections, either by the Controller or by a third party designated by the Controller and bound by a duty of confidentiality;

g. Keep a record (log) of the processing activities carried out on behalf of the Controller, which shall at least contain the information required pursuant to Article 30 of the GDPR:
the name and contact details of the processor, controller; categories of processing carried out on behalf of each controller; international transfers of data; and a description of technical and organizational security measures in place. The Controller can request a copy of such record at any time;

h. Immediately notify the Controller if the Processor receives a request from an authority to disclose personal data processed under this DPA. The Processor is not obliged to notify if the law prohibits such notification. Unless required by law, the Processor shall not comply with such a request without prior written notification of the Controller;

i. Assist the Controller in responding to requests from the data subject pursuant to Chapter III of the GDPR (including the right to information, access, correction and erasure);

j. Assist the Controller in fulfilling their duties pursuant to Article 32-36 of the GDPR.

1.2. The scope of theProcessor’s duty to provide assistance to the Controller under i) and j) shall take the nature of the processing and the information available to the Processor into account. The Processor has the right to invoice the Controller for work performed in order to fulfill the duties described in i) and j)pursuant to the hourly rates agreed in the principal agreement. The Processor does not have the right to charge to fulfil other duties under this agreement.

1.3. The Controller shall:  

a) have a legal basis to use and process contact data and keep records of consent and evidence of other lawful purposes of processing, when it is provided for by applicable Data Protection Laws.  

b) accept full responsibility for the following factors related to the provided data you  including but not limited to:  

(i) ensuring that the Customer Data is accurate and of good quality;  

(ii) adhering to all the necessary requirements of applicable Data Protection Laws, including obtaining any necessary consents and authorizations for the collection and use of Personal Data, especially for marketing purposes;  

(iii) ensuring that you have the right to transfer or provide access to the Personal Data to us for processing according to the terms of the Agreement and this DPA;  

(iv) guaranteeing that any Instructions given to us concerning the Processing of Personal Data comply with applicable laws, including Data Protection Laws;  

c) be responsible for compliance with all relevant laws, including Data Protection Laws, regarding any emails or content created, sent, or managed through our services as per the MSA, including obtaining consents where required to send emails, email content, and email deployment practices.

2. Instructions

The GTCs and this DPA constitute the final instructions of the Controller (with regard to data processing) at the time of the conclusion of this DPA. Further instructions are reserved for the Controller but if the Controllers instructions are not covered by the scope of services agreed in the GTCs and the Offer, they shall be treated as a request for a change of services. In the event of proposed modifications, the Processors shall inform the Controller about the impact on the agreed services, in particular the possibility of providing the services, deadlines and remuneration.

If the Processor cannot reasonably be expected to implement the instruction, the Processor shall be entitled to reject the instructions. In the event that the Controller nevertheless insists on the instructions, the Processor has a special right of termination and can terminate the processing – and further terminate the DPA and the GTCs – at anytime with immediate effect.

3. Notification routines

In the event of a personal data breach, the Processor shall notify the Controller within 48 hours.The notification shall at least describe:

The nature of the breach of personal data, including, if possible, the categories and the approximate number of data subjects affected;

The name and contact information of the data protection officer or other contact where information can be obtained;

The likely consequences of the personal data breach;

The measures taken or proposed to be taken to address the personal data breach, including any measures to mitigate its possible adverse effects.

In the case where all of the information above cannot be given in the first notice, the information shall be provided without undue delay and no later than 72 hours after the occurrence of the personal data breach. The Controller shall ensure that an incident report is sent to the relevant Data Protection Authority in accordance with GDPR art. 33.

4. Use of sub-processors

The Controller hereby grant a general authorization to use sub-processors.

The list of sub-processors is published on the Processor’s dedicated webpage as follows:
https://globusaioutlook.sharepoint.com/sites/GDPR/StaffingProcessors

The Processor has the right to replace sub-processors or add new sub-processors, and amend the list of sub-processors published on the website (hereinafter“Changes”), as necessary. In such event, the revised list of sub-processors will be posted on the Processor's websites with an indication of its effective date.

The Controller shall be informed of any Changes, and theController shall have the right to object to such changes and inform the Processor thereof no later than 10 (ten) calendar days from the date of publication of the Changes. Failure to receive such objections within the specified period means the acceptance of the Changes.

The Controller may not reject a new sub-processor without legitimate reason. Any rejection based on well-founded suspicion that the level of data protection may be degraded asa result of the change of sub-processor shall be regarded as a legitimate reason.

If the rejection is based on illegitimate grounds, the Processor is entitled to a fee equivalent to the subscription fee for the last 12 months before the rejection and the parties should discuss possible amicable solutions in order to maintain the agreement and the present DPA in force.

5. Transfer of data to third countries

The transfer of the Controller data to a third country requires the prior consent of the Controller and may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled. If these requirements are met, there   must be important data protection related reasons to refuse consent.

The Processor acknowledges that any transfer of the Controller Data to Third Countries, are subject appropriate safeguards, such as, where necessary, a contract on EU-approved terms known as standard contractual clauses (SCCs)  concluded with the respective SubProcessor located in the Third Country. The Processor should also verify that the level of protection provided to the personal data following the transfer is essentially equivalent to and does not undermine the level of protection guaranteed to data subjects under the GDPR. The approval of the list of subprocessors by the Controller acknowledges the agreement with such transfer.

6. Audits

Each party shall cover their own costs related to audits. In the event an audit reveals a material deviation from the obligations of this Agreement, all costs including the Controller’s and external auditors’ reasonable costs shall be covered by the processor.

7. Liability and compensation

The parties shall cover their own administrative fines and other penalties imposed as a result of violations of data protection laws.

In case a party becomes liable to pay compensation due to circumstances which the other party is responsible for, the responsible party shall make the compensation payment. The liability is limited as described in the GTCs and shall only cover direct loss.

8. Duration of the agreement

The agreement is in force for as long as the Processor processes personal data on behalf of the Controller pursuant to the GTCs and the MSA.

In the event of a breach of this agreement or data protection laws, the Controller may instruct the Processor to stop further processing of the data with immediate effect.

9. Return, deletion and/or destruction at the end of the Agreement

Upon termination of this Agreement, the Processor is obligated to return all personal data received on behalf of the Controller.

The Controller may require that the Processor deletes or destroys all personal data processed under this agreement. The Controller may ask the Processor to confirm in writing that the deletion is completed. The deletion shall be carried out no later than 60 days after the agreement is terminated. Deletion means that the personal data are permanently deleted from all systems, except from the backup system. Only technical personnel shall have access to the backup system.

10. Law and legal venue

The law and legal venue are pursuant to the GTCs.

Appendix 1: The scope of the processing

The purpose of the processing

‍The processor will process personal data to provide its virtual staffing assistance service (the “Service”), and to improve the products and services as set out in the GTCs. The processor has been assured that the controller has complied with all applicable data protection laws and regulations, and that the controller is able to lawfully transfer its data to the processor to be processed as set out in the GTCs.

Types of personal data processed

Candidates: Name, telephone number, e-mail address, work schedule, educational background, employment information (regular employee/temporarily employed etc.), time reports (hours worked, hours scheduled, overtime, absence etc.), salary information (salary, bank account etc.), personal information including identity number (CPR number), IP address, data about actions in the system.Work-related data: job application information (CV, personal letter, picture, test score, references etc.), Certification, Work history (which employees have attended which assignments), work schedules and future assignments, assignment information, activities and visits, names, addresses, team, Gerica ID.

Users (recruiters): name, company, email, phone number,  IP address, data about actions in the system (ex., click data and product view data).

Representatives of customers of the Controller: name, phone number, email, company, location, IP address, data about actions in the system.

Processing activities

‍Organisation, matching of data sets, data administration, structuring, storage, alteration, retrieval, use, data transfer,  erasure or destruction.

The categories of data subjects

‍Personnel/employees of the Controller (users) - for use of services directed to sales, assignments and candidates; Candidates - for the use of Processor’s services directed to the career opportunities. Representatives of customers of the Controller – to enable direct communication on the Processor’s platform.

The duration of the processing

‍The Processor will process personal data on behalf of the controller for the duration of the agreement between the parties, unless otherwise agreed in writing.  Data is deleted as soon as possible and no later than sixty (60) days after the agreement has been terminated, or the Controller has requested the personal data to be deleted.

Appendix 2: Security measures

Organizational and technical security measures that are to be implemented by Globus AI (Processor):

1. Physical access control
2. System access control
3. Personal data access control
4. Transfer access control
5. Pseudonymization measures
6. Encryption measures
7. Access control and password routines
8. Routines for critical events
9. Control of entry of personal data
10. Control of availability
11. Control of separation
12. Storage Policy

1. Physical access control

The Processor’s office is categorized by risk including:

1. A control accessed area assigned to hosting customers and visitors (corresponding to the office).
2. A Service area assigned to the service (a delimited area of the office corresponding to the part of the offices where data are processed).
3. A security area assigned to housing switches for the office internet connections, computer and telephony equipment not assigned to a specific employee (a delimited, control accessed area of the office).

The Processor maintains an up-to-date list of individuals (including employees, service providers and temporary staff) who have access to the office and are authorized to enter the office without escort. Individuals needing to access the Processor’s service area or the security area are escorted (from the time they arrive, during their visit and until they exit the office) by an authorized member of the organization. Access rights to the security area is further restricted. The list of persons with access to the security area is regularly reviewed and persons are deleted if necessary.

The Processor’s office has an alarm system installed to detect an unauthorized entry.

1. The main office door is locked and all entries are registered digitally.
2. Alarm system is automatically activated at night.

2. System access control

Measures to prevent unauthorized use of IT systems:

The Processor is allowed access to the Controller’s system in two specific scenarios: when there is a need to access shared email mailboxes and when interacting with the ATS systems. All other processing activities are conducted within the Processor's systems hosted on MS Azure.

The access permissions for employees and contractors of the Processor are meticulously validated by the senior management and are closely supervised to assure the security of the data. The access rights are revoked or altered when an individual no longer has the authorization to access certain resources, when their employment contract comes to an end, or during a change in their job role. Regular audits of access rights are carried out to make certain that they correspond with each user's responsibilities.

Authorized individuals within the Processor’s organization are granted access using either personal login credentials or general user profiles. When a key vault is in use, passwords are securely hashed. In cases where there is integration with interactive access to ATS using shared accounts, multi-factor authentication (MFA) is implemented.

3. Personal data access control

‍Measures to ensure that persons authorized to use the IT system only have access to personal data restricted to the person's established authority.

The Controller handles the management of its user profiles via the Controller's interface, and these accounts are governed through the federated identity provider, unless the Processor has created local users at the request of the Controller.

The Processor employs a robust access control system, which includes creating, reviewing, and deleting user accounts. The Processor has an interface supporting features for defining its users’ profiles, separating tasks and areas of responsibility to limit users access to personal data exclusively to authorized users by applying need-to-know and least-privilege principles.

1. User profiles can be designed in centralized fashion (with specific privileges for the use of functions and creation, read access, modification, deletion and transfer of data)
2. Each person can be assigned one or more of the defined profiles when the employment contract takes effect or upon changing roles or jobs.

4. Transfer access control

Measures to ensure that personal data cannot be read, copied, modified or deleted by electronic transmission or transfer or storage on storage devices without permission, and that recipients can be identified and verified when transfer of personal data is performed via electronic transmission:

All electronic transfers are encrypted with SSL/TLS. Recipients are identified and verified using access tokens.

At Globus AI data transfer access control is implemented through Microsoft Azure Active Directory. Additionally, the Microsoft Azure Cloud encrypts all electronic transfers. The senders and recipients are identified and verified using electronic access tokens.

As a result, no personal data can be read, copied, modified or deleted by electronic transmission or transfer or storage on storage devices without explicit permission. Additionally, all recipients can be identified and verified when transfer of personal data is performed via electronic transmission.

5. Pseudonymization measures

All personal or sensitive data will be kept in a restricted database with separate login access. The rest of the data can be stored in an unrestricted database. The separation enables accountability, as only individuals with restricted access and proper training in handing personal data may work with such data. The data in the unrestricted database will have undergone anonymization or pseudonymization and thus cannot be correlated with personal identifiers. The data in the unrestricted database may also be persistent and need not be forgotten. It is enough to remove it from the restricted database, where personal identifiers can be correlated with other data.

When data is collected, each attribute will be inspected to understand if there is a legitimate reason for collecting it or not. When data is ingested into the system, it will be tokenized, and a separate lookup file will be created to associate between the original entry and the token. The lookup file will be stored in the restricted database.

6. Encryption measures

Azure Storage Services Encryption helps protect and safeguard data, including personal data, in support of organizational security commitments and compliance requirements defined by frameworks and regulations such as the GDPR. Azure Storage Service Encryption allows to request that the storage service automatically encrypt the data when writing it to Azure Storage. Microsoft handles all the encryption, decryption, and key management in a fully transparent fashion. All data is encrypted using 256-bit AES (Advanced Encryption Standard) encryption, also known as AES-256, one of the strongest block ciphers available. We can enable this feature on all available redundancy types of Azure File Storage, since both options – LRS (locally redundant storage) and GRS (geo-redundant storage) – are included.

The processor will also use Azure Disk Encryption for virtual machines that are hosted in Azure and have Windows or Linux running as a local operating system. By doing so, all data inside these virtual machines is encrypted automatically as well.

Transparent Data Encryption with Azure SQL Database will help protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest. All of this takes place without requiring changes to the applications.

7. Access control and password routines

We will use Azure Role-Based Access Control (RBAC) to enforce separation of duties. This Azure service enables defining fine-grained access permissions to grant only the amount of access that users need to perform their jobs. Instead of giving everybody unrestricted permissions for Azure resources, we allow only certain actions for accessing personal data.

Azure Key Vault, a cloud-hosted service for managing cryptographic keys and other secrets used in cloud applications, provides capabilities to help with the protection of data and access to data. This Azure service enables us to safeguard cryptographic keys, certificates, and passwords. Azure Key Vault uses specialized hardware security modules (HSMs) for maximum protection and is designed in a way that allows us to maintain control of keys and data.

To minimize the number of people who have access to certain information, such as personal data, we can also use Azure Active Directory Privileged Identity Management. This functionality allows discovering, restricting, and monitoring privileged identities and their access to resources. It is also possible to enforce on-demand, just-in-time administrative access when needed.

8. Routines for critical events

We have adopted Microsoft Azure routines for critical events: https://docs.microsoft.com/en-us/azure/architecture/resiliency/disaster-recovery-azure-applications

9. Control of entry of personal data

Measures to ensure that persons authorized to use the IT system only have access to personal data restricted to the person's established authority:

The Controller manages user profiles through the Controller interface. The Controller’s interface, supports features for defining users’ profiles, separating tasks and areas of responsibility to limit users access to personal data exclusively to authorized users by applying need-to-know and least-privilege principles.

1. User profiles can be designed in centralized fashion (with specific privileges for the use of functions and creation, read access, modification, deletion and transfer of data)
2. Each person can be assigned one or more of the defined profiles when the employment contract takes effect or upon changing roles or jobs.

At Globus AI we use Azure Information Protection to automate the process of classifying categories of data, including personal data. The classification is identifiable always, regardless of where the data is stored or with whom it is shared. The persistent labels include visual markings as well as metadata that is added to files and email headers in clear text, so that other services (such as data loss prevention solutions) can identify the classification and take appropriate action.

In addition to tagging personal data in Azure Information Protection, we will use Azure Data Factory and/or Azure HDInsight for this purpose. Azure Data Factory has capabilities to help trace and locate personal data, including visualization and monitoring tools to identify when data arrived and where it came from. There are also capabilities for automating data pipelines with on-demand cloud resource management.

This ensure security and control of access to personal information. Additionally, the foundational customer data protection in Microsoft Azure ensures data segregation, encryption and redundancy.

10. Control of availability

Backup of personal data is done regularly by the Processor

1. A complete backup is performed at least weekly
2. Incremental backup is performed at least daily to capture any changes that have occurred since the last full backup.

Backups are saved 5 weeks and verified regularly (at least yearly) by producing a full restore and by verifying access and integrity of the restored data. Backups are transmitted to location separated from the data. Backups have the same level of security as the original data. A disaster recovery plan is held by the Processor to ensure that the organization, staff, systems and premises necessary to carry out the processing are available within a timeframe that corresponds to the agreed level of service.

To enhance the redundancy of our data, we leverage Microsoft Azure's three-level data redundancy system as appropriate for the type of database. Locally redundant storage (LRS) is replicated three times within a single facility in a single region. LRS protects data from normal hardware failures, except for a failure of the whole facility.

11. Control of separation

Measures to ensure that personal data collected for different purposes can be treated separately:

The Processor processes Controller’s data only for providing it’s services to the Controller and improving the Processors products and services, as specified in the JCA. The Processor does not use Controller’s data for other purposes that would require separate processing.

12. Storage Policy

Measures to ensure that personal data are deleted during and after the term of agreement when use is no longer necessary for the initial purpose:

Data is kept during the term of the agreement and deleted as soon as possible and no later than within sixty (60) days from that the Controller terminates any of the agreements or request the personal data to be deleted.

Security measures (including those described in the present Agreement) are subject to change at any time by the Processor. The Controller will be informed by the Processor of any significant changes in advance and may obtain up to date information on security measures by sending an email to privacy@globus.ai.

In a case of objections to the changes to these security measures, the Controller informs the Processor about the objections no later than 10 (ten) calendar days. Failure to receive such objections within the specified period means the acceptance of the changes.