Privacy Notice

01 July 2024

Intro

This Product Specification provides an overview of what Globus can offer in terms of product functionalities, the precise features included are detailed in the Quote.

The GTCs accepted by the Customer refer to this Product Specification, and constitute legally binding commitment from the date the GTCs are accepted, unless the parties thereto have agreed to the opposite in writing. ‍

Globus Customer Success-team will facilitate the set up -project implementation with specific systems and Customer-specific features if those have been agreed to and communicated during the kick off. Globus will also provide training and support to users during the implementation period, as agreed by the parties.

All potential changes to the product scope will be communicated here.  

Application Scope

  • A cloud-based web application built on scalable infrastructure.
  • Customisable tenant environment that allows users to work from wherever.
  • Access Globus staffing on mobile and desktop browsers.
  • Globus staffing can be configured with a read-integration with your CRM.
  • AI-based email information extraction.
  • Globus processes emails received by the client's team and creates orders in the System automatically.
  • Globus can fetch new orders from your existing order portals if data is accessible (for new portals, an estimate will be provided to the customer).
  • Globus facilitates engaging with potential candidates within your existing database through personalized engagement campaigns.

Integrations

User authentication

Globus Staffing will be configured for users. The users will access Globus Staffing using their Office365 accounts and Single-Sign-On or a unique username and password.  

ATS/CRM Integration

Globus can integrate with ATS/CRMs to get a list of candidates, customers, and/or orders. Globus is dependent on the following information to initiate integration implementation: API-Key /Access tokens for Production environment and Sandbox Environment.

Given that all informationis available, the CRM integration will allow for fetching data on:

  • Customers with attributes, departments/projects
  • Candidate profiles with attributes

Office365 E-mail integration (if applicable)

Globus can integrate with your shared inbox, to fetch job requests received by email. Each email will automatically generate a corresponding job requirement in Globus Staffing. It is always recommended that job requirements parsed from e-mails are verified in Globus Staffing by the end-users to ensure that data is parsed correctly.

  • Emails will be directly accessible in Globus Staffing.
  • The level of detail of the job requirements in Globus Staffing is dependent on the structure and format of e-mails.
  • All parsed e-mails will receive a “Globus” label in the shared Outlook inbox.

Parsing setup

  • Set up a shared inbox 
  • Send credentials of a shared inbox 

If the client has another email provider, Globus is able to receive and process forwarded emails to a separate email inbox created specifically for the client’s emails.

Product Capabilities

Dashboard

The dashboard is a main page for the user that is aimed to provide a work overview and select the right thing to get done next:

  • General month statistics.
  • TOP of orders (it’s possible to select a segment to display).
  • TOP of candidates (it’s possible to select a segment to display).
  • Recommendations and highlights.

Order: management and fulfilment

To allow the user to find the orders, there is a powerful search and filtering functionality. To narrow order searches on the orders page, custom dynamic segments can be configured by the user. There are predefined segments available and the user can create their own segments.

Orders creation and modifying

The following fields will be enabled in Globus Staffing on the order creation page. These fields will have dropdown lists with data fetched from your CRM integration (with possibilities of auto-complete search) or will be automatically populated through parsing (quality of data population is dependent on e-mail structure and quality).  

  • Customer name
  • Department/ project name
  • Location  
  • Contact Person  
  • Information for Candidates
  • Role    
  • Skills and competences
  • Shift date and timings
  • Period date and timings (for longer job requests)

AI-based email information extraction

The order edit UI displays the attached emails that were used to create the order.

The order is pre-filled with the information AI extracted from the email.

It is always recommended that the end-users verify job requirements parsed from e-mails in Globus Staffing to ensure that the data is parsed correctly.

Order fulfilment

Recommender and Matching

Globus will configure and enable our AI-matching functionality for all job requests. When job requests are created either manually or through parsing, Globus will automatically match candidates based on weighted parameters.

Matching parameters include:  

  • Matching role
  • Matching skills and competences
  • Matching location  
  • Candidate availability
  • Candidate work History
  • Candidate’s location and working time preferences

The user is able to clarify (filter or exclude) the suggested list of candidates by specific parameters, such as location, work experience, role, skills, etc.

Additionally, self-learning will improve matching results over time.  

Matching criteria will be weighted during the implementation phase, to ensure the most accurate recommendations.

Fulfilling orders with Globus

Send orders to your candidates via SMS or email. The candidate then has the opportunity to view the order’s details and decide whether to accept or reject some or all of the shift(s) or period offered.

You will be instantaneously notified of the candidate’s response within the application.

Candidate confirmation 

After assigning a candidate to a shift or when a customer has accepted the candidate, the candidate will be sent a confirmation email (or/and sms) that may include:

  • Customer
  • Department
  • Visiting address of the customer (if available)
  • Role
  • Contact information (If agreed to be enabled)
  • Overview of assigned shifts/period

Candidates

All candidates fetched from your ATS/CRM will be displayed in the candidates’ section in Globus Staffing. Booked shifts and/or periods are visible in the candidate calendars.

To allow the user to find the candidates, there is a powerful search and filtering functionality. To narrow order searches on the candidates' page, custom dynamic segments can be configured by the user. There are predefined segments available and the user can create their own segments.

Candidate(s) availability can be seen on the individual candidate calendar. Availability requests can be sent to one candidate or bulk-sent to multiple candidates from the candidate menu. Candidates receive a web link where they easily can update availability.

  • Candidate responses are updated immediately in Globus Staffing and will be reflected in the calendar view.  
  • Candidate availability can also be added/edited by end-users of Globus Staffing
  • Candidate availability will be used for matching candidates to job requests.  
  • Candidates are able to provide their work-time preferences as well.

Talent Engagement

This add-on feature facilitates tailored interaction with candidates from your existing talent pool through specialized engagement e-mail campaigns.

It allows the construction of customized email campaigns delivered straight to potential candidates' inboxes.

Integrated analytics provide detailed tracking of campaign engagement, including open and interaction rates.

This module serves to enhance an agency's brand visibility or advertise specific job opportunities, thus expanding the active talent base.

A unique aspect of this module is its ability to automatically segment activated candidates, enabling recruiters to concentrate resources on the most promising prospects.

The 'TalentEngagement' module can include powerful AI-based tools that simplify creatingof inspirational and engaging content for email campaigns .

Customers

All customers fetched from your ATS/CRM will be displayed in the candidates’ section with the capability to edit candidates’ profiles.

Order portal

An order portal that can be enabled per customer, allowing customers to place job-requests directly onto your Globus account. Order portals can be configured as requested.

Customer representatives get their own credentials for the order portal. They can create an order based on the following parameters:

  • Customer name (pre-set)
  • Department/project
  • Location
  • Role
  • Skills and competences
  • Time of shift/period
  • Due date
  • Additional comments

Submitted job requests from the portal will be automatically created in Globus Staffing.

Candidates’ interfaces

The candidates have transactional interfaces that allow them to provide their availability and accept/decline opportunities that were personally offered to them.

Links to the candidate’s interfaces are delivered by email or SMS notifications.

The availability-providing interface has a permanent link for the candidate, so they can save the link in bookmarks and back to the system when decide.

Candidate and customer communication

When working with Globus Staffing there are several possibilities for sending out information to candidates (through SMS and E-mail) and customers (through E-mail). 

Before Go-live, Globus will provide a template with examples of all E-mails, SMS, and other text information visible to external parties, so these can be customized.

Help and Support

As part of your standard package with Globus you have a dedicated Customer Success Manager ("CSM") to lead you through implementation and onboarding. You will also have access to a full development team covering parsing, integrations and configuration (at an applicable T&M rate).

Depending on your implementation requirements, regular meetings will be scheduled, and project timelines created and shared.


Full training is provided by your CSM during the onboarding phase and refresher training can be booked in past your initial go-live.  

Resources can be accessed in the Globus help centre https://intercom.help/globusai/en/ and the team can be reached on support@globus.ai or by using the chat bubble within the Globus application.  

New features and updates are published here and you will be informed about them via in app announcements.

With love,

Globus AI team

1.Who are we?

The company responsible for processing your personal data is:

Name:Globus AI AS

Address: Rådhusgata 6, 4306 Sandnes, Norway
E-mail: privacy@globus.ai

2. Who are you?

The processed personal data regards to candidates for work placements, users of our system and customers of our clients.

3. Why do we process your personal data?

The  purposes are:

  • to connect you with most relevant jobs through our SaaS product - Digital assistant for staffing agencies (who are data Controllers in this case).
  • - to train our artificial intelligence and machine  learning algorithms to power the development of the machine learning models to place candidates for the most suitable positions (if applicable).

Such improvements benefit each separate candidate whose data were used in any specific instance.

4. The type of personal information we  collect?

General information, such as name, telephone number,  address, e-mail address, work schedule, employment information  (temporarily employed etc.), IP address.

Work-related data: Work history (which employees  have attended which assignments), time reports (hours worked, hours  scheduled), work schedules and future assignments, assignment information, salary when it is needed.

5. How we get the personal information?

Personal information we process is provided to us either directly by you responding to a job requests in the product.

We  also receive personal information indirectly, from the recruitment/staffing  agency you are working with. If that’s the case, a Joint Controller Agreement  published on globus.ai/jca is also applicable.

6. How we store your personal  information?

Your information is securely stored in our systems  on Microsoft Azure Cloud Computing Platform & Services  . We keep your information as long as your information is processed by our partners- staffing agencies in their databases where we got it from. We will also erase your  information from our database in a case of your request.

7.How do we share your personal data?

Cloud computing systems

We also will share this information with our processors who adhered to the SCCs published on globus.ai/scc that assist us in our development efforts (as those are private individuals, we will be able to provide their details upon request at privacy@globus.ai.)

WEWILL NEVER SELL YOUR DATA.

8.Why are we allowed by law to process your personal data?

By law we are allowed to process your personal data to pursue our legitimate interest (seeArticle 6(1)(f) of the General Data Protection Regulation 2016/679) because training of ML algorithms is inseparable from providing our services.

As for the data entrusted by your staffing agency for placement purposes – we process it as a processor as per the DPA globus.ai/dpa

9.When do we transfer your personal data outside the EEA?

For the objectives outlined in Section 3 above, we may grant our developers in countries outside the European Economic Area (EEA), such as Montenegro, Kazakhstan, Armenia, and Georgia, access to your personal data. Please be aware that this is not always applicable, as access is granted according to specific roles. We use SCCs as a safeguard, as required by law, to protect your personal data in case of such transfers and made all necessary assessments. Please let us know at privacy@globus.ai if you wish to have any details about international transfer.

10.Your data protection rights & complaints

Where we use your Personal Data for the activities mentioned in this Privacy Notice, you may:

  • request further details about how we use your Personal Data, including receiving a copy of your Personal Data (‘Right of access’)
  • request that we correct, update or erase your Personal Data (‘Right to rectification’)
  • request that we restrict the use of your Personal Data (‘Right to restriction’)
  • object to us using it, or     that we use it for direct marketing (‘Right to object’)

Where we use your Personal Data specifically based on your consent, you also have the right to request that we transfer your Personal Data to you or a third party (‘Right to data portability’).

If you wish to exercise your rights, you can contact us by sending an e-mail to privacy@globus.ai

How to file a complaint

If you have any queries that cannot be clarified as a result of internal dialogue with us or you wish to file a complaint, you can contact the Norwegian DataProtection Authority athttps://www.datatilsynet.no

This Data Processing Agreement (“DPA”) together with the General Terms and Conditions globus.ai/legal/gtc (“GTCs”) and the Joint Controller Agreement globus.ai/legal/jca ("JCA") , accepted by the Customer, constitute legally binding commitment between Globus AI AS («Processor») and it’s customer (“Controller”),  from the Effective Date.

The latest version of this DPA is available at globus.ai/legal/dpa. Globus AI may amend this DPA and inform the Customer thereof. Such amendments shall apply beginning ten (10) days from the date of posting it on globus.ai/legal/dpa. Notwithstanding anything to the contrary, the Processor will not change the technical or organisational measures which will reduce the level of security without informing the Controller.

Purpose

This DPA sets out the rights and obligations of the Globus AI AS Processor’s processing personal data on behalf of the Controller pursuant to the GTCs and shall ensure that the processing meets the standard of the General Data Protection Regulation (GDPR),as well as any supplemental Norwegian data protection regulations.

1. The data Processor’s duties

1.1. The Processor shall:

a. Only process personal data in accordance with documented instructions of the Controller. The Processor shall notify the Controller if any of the instructions are in violations of GDPR or any other applicable data protection regulations. The Processor shall also notify the Controller if the Processor is required by mandatory law to process personal data contrary to the Controllers instructions;

b. Ensure that employees and sub-processors or other third parties authorised to process personal data on behalf of the Processor in accordance with Section 4 are subject to obligations of confidentiality;

c. Implement appropriate technical and organisational measures required pursuant to Article 32 of the GDPR. The data security measures are described in Appendix 2;

d. Ensure that any sub-processors processing personal data on behalf of the Processor have entered into a binding agreement with the Processor pursuant to Article 28(2) and (4) of the GDPR;

e. Notify the Controller if personal data are to be transferred outside the EEA and ensure that the personal data are adequately protected by EU model clauses or other basis for transfer pursuant to the GDPR

f. At the request of the Controller within a reasonable period of time make all information necessary to document that the Processor fulfills Article 28 of the GDPR available. The Processor shall enable the Controller to perform audits and inspections, either by the Controller or by a third party designated by the Controller and bound by a duty of confidentiality;

g. Keep a record (log) of the processing activities carried out on behalf of the Controller, which shall at least contain the information required pursuant to Article 30 of the GDPR:
the name and contact details of the processor, controller; categories of processing carried out on behalf of each controller; international transfers of data; and a description of technical and organizational security measures in place. The Controller can request a copy of such record at any time;

h. Immediately notify the Controller if the Processor receives a request from an authority to disclose personal data processed under this DPA. The Processor is not obliged to notify if the law prohibits such notification. Unless required by law, the Processor shall not comply with such a request without prior written notification of the Controller;

i. Assist the Controller in responding to requests from the data subject pursuant to Chapter III of the GDPR (including the right to information, access, correction and erasure);

j. Assist the Controller in fulfilling their duties pursuant to Article 32-36 of the GDPR.

1.2. The scope of theProcessor’s duty to provide assistance to the Controller under i) and j) shall take the nature of the processing and the information available to the Processor into account. The Processor has the right to invoice the Controller for work performed in order to fulfill the duties described in i) and j)pursuant to the hourly rates agreed in the principal agreement. The Processor does not have the right to charge to fulfil other duties under this DPA.

1.3. The Controller shall:  

a) have a legal basis to use and process contact data and keep records of consent and evidence of other lawful purposes of processing, when it is provided for by applicable Data Protection Laws.  

b) accept full responsibility for the following factors related to the provided data you  including but not limited to:  

(i) ensuring that the Customer Data is accurate and of good quality;  

(ii) adhering to all the necessary requirements of applicable Data Protection Laws, including obtaining any necessary consents and authorizations for the collection and use of Personal Data, especially for marketing purposes;  

(iii) ensuring that you have the right to transfer or provide access to the Personal Data to us for processing according to the terms of the GTCs and this DPA;  

(iv) guaranteeing that any Instructions given to us concerning the Processing of Personal Data comply with applicable laws, including Data Protection Laws;  

c) be responsible for compliance with all relevant laws, including Data Protection Laws, regarding any emails or content created, sent, or managed through our services as per the GTCs, including obtaining consents where required to send emails, email content, and email deployment practices.

2. Instructions

The GTCs and this DPA constitute the final instructions of the Controller (with regard to data processing) at the time of the conclusion of this DPA. Further instructions are reserved for the Controller but if the Controllers instructions are not covered by the scope of services agreed in the GTCs, they shall be treated as a request for a change of services. In the event of proposed modifications, the Processors shall inform the Controller about the impact on the agreed services, in particular the possibility of providing the services, deadlines and remuneration.

If the Processor cannot reasonably be expected to implement the instruction, the Processor shall be entitled to reject the instructions. In the event that the Controller nevertheless insists on the instructions, the Processor has a special right of termination and can terminate the processing – and further terminate the DPA and the GTCs – at anytime with immediate effect.

3. Notification routines

In the event of a personal data breach, the Processor shall notify the Controller within 48 hours.The notification shall at least describe:

The nature of the breach of personal data, including, if possible, the categories and the approximate number of data subjects affected;

The name and contact information of the data protection officer or other contact where information can be obtained;

The likely consequences of the personal data breach;

The measures taken or proposed to be taken to address the personal data breach, including any measures to mitigate its possible adverse effects.

In the case where all of the information above cannot be given in the first notice, the information shall be provided without undue delay and no later than 72 hours after the occurrence of the personal data breach. The Controller shall ensure that an incident report is sent to the relevant Data Protection Authority in accordance with GDPR art. 33.

4. Use of sub-processors

The Controller hereby grant a general authorization to use sub-processors.

The list of sub-processors is published on the Processor’s dedicated webpage as follows:
https://globusaioutlook.sharepoint.com/sites/GDPR/StaffingProcessors

The Processor has the right to replace sub-processors or add new sub-processors, and amend the list of sub-processors published on the website (hereinafter“Changes”), as necessary. In such event, the revised list of sub-processors will be posted on the Processor's websites with an indication of its effective date.

The Controller shall be informed of any Changes, and theController shall have the right to object to such changes and inform the Processor thereof no later than 10 (ten) calendar days from the date of publication of the Changes. Failure to receive such objections within the specified period means the acceptance of the Changes.

The Controller may not reject a new sub-processor without legitimate reason. Any rejection based on well-founded suspicion that the level of data protection may be degraded asa result of the change of sub-processor shall be regarded as a legitimate reason.

If the rejection is based on illegitimate grounds, the Processor is entitled to a fee equivalent to the subscription fee for the last 12 months before the rejection and the parties should discuss possible amicable solutions in order to maintain the principal agreement and the present DPA in force.

5. Transfer of data to third countries

The transfer of the Controller data to a third country requires the prior consent of the Controller and may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled. If these requirements are met, there   must be important data protection related reasons to refuse consent.

The Processor acknowledges that any transfer of the Controller Data to Third Countries, are subject appropriate safeguards, such as, where necessary, a contract on EU-approved terms known as standard contractual clauses (SCCs)  concluded with the respective SubProcessor located in the Third Country. The Processor should also verify that the level of protection provided to the personal data following the transfer is essentially equivalent to and does not undermine the level of protection guaranteed to data subjects under the GDPR. The approval of the list of subprocessors by the Controller acknowledges the agreement with such transfer.

6. Audits

Each party shall cover their own costs related to audits. In the event an audit reveals a material deviation from the obligations of this DPA, all costs including the Controller’s and external auditors’ reasonable costs shall be covered by the processor.

7. Liability and compensation

The parties shall cover their own administrative fines and other penalties imposed as a result of violations of data protection laws.

In case a party becomes liable to pay compensation due to circumstances which the other party is responsible for, the responsible party shall make the compensation payment. The liability is limited as described in the GTCs and shall only cover direct loss.

8. Duration of the DPA

The DPA is in force for as long as the Processor processes personal data on behalf of the Controller pursuant to the GTCs.

In the event of a breach of this agreement or data protection laws, the Controller may instruct the Processor to stop further processing of the data with immediate effect.

9. Return, deletion and/or destruction at the end of the DPA

Upon termination of the DPA, the Processor is obligated to return all personal data received on behalf of the Controller.

The Controller may require that the Processor deletes or destroys all personal data processed under this agreement. The Controller may ask the Processor to confirm in writing that the deletion is completed. The deletion shall be carried out no later than 60 days after the DPA is terminated. Deletion means that the personal data are permanently deleted from all systems, except from the backup system. Only technical personnel shall have access to the backup system.

10. Law and legal venue

The law and legal venue are pursuant to the GTCs.

Appendix 1: The scope of the processing

The purpose of the processing

The processor will process personal data to provide its virtual staffing assistance service (the “Service”), and to improve the products and services as set out in the GTCs. The processor has been assured that the controller has complied with all applicable data protection laws and regulations, and that the controller is able to lawfully transfer its data to the processor to be processed as set out in the GTCs and this DPA.

Types of personal data processed

Candidates: Name, telephone number, e-mail address, work schedule, educational background, employment information (regular employee/temporarily employed etc.), time reports (hours worked, hours scheduled, overtime, absence etc.), salary information (salary, bank account etc.), personal information including identity number (CPR number), IP address, data about actions in the system.Work-related data: job application information (CV, personal letter, picture, test score, references etc.), Certification, Work history (which employees have attended which assignments), work schedules and future assignments, assignment information, activities and visits, names, addresses, team, Gerica ID.

Users (recruiters): name, company, email, phone number,  IP address, data about actions in the system (ex., click data and product view data).

Representatives of customers of the Controller: name, phone number, email, company, location, IP address, data about actions in the system.

Processing activities

Organisation, matching of data sets, data administration, structuring, storage, alteration, retrieval, use, data transfer,  erasure or destruction.

The categories of data subjects

Personnel/employees of the Controller (users) - for use of services directed to sales, assignments and candidates; Candidates - for the use of Processor’s services directed to the career opportunities. Representatives of customers of the Controller – to enable direct communication on the Processor’s platform.

The duration of the processing

The Processor will process personal data on behalf of the controller for the duration of the principal agreement between the parties, unless otherwise agreed in writing.  Data is deleted as soon as possible and no later than sixty (60) days after the agreement has been terminated, or the Controller has requested the personal data to be deleted.

Appendix 2: Security measures

Organizational and technical security measures that are to be implemented by Globus AI (Processor):

  1. Physical access control
  2. System access control
  3. Personal data access control
  4. Transfer access control
  5. Pseudonymization measures
  6. Encryption measures
  7. Access control and password routines
  8. Routines for critical events
  9. Control of entry of personal data
  10. Control of availability
  11. Control of separation
  12. Storage Policy

1. Physical access control

The Processor’s office is categorized by risk including:

  1. A control accessed area assigned to hosting customers and visitors (corresponding to the office).
  2. A Service area assigned to the service (a delimited area of the office corresponding to the part of the offices where data are processed).
  3. A security area assigned to housing switches for the office internet connections, computer and telephony equipment not assigned to a specific employee (a delimited, control accessed area of the office).

The Processor maintains an up-to-date list of individuals (including employees, service providers and temporary staff) who have access to the office and are authorized to enter the office without escort. Individuals needing to access the Processor’s service area or the security area are escorted (from the time they arrive, during their visit and until they exit the office) by an authorized member of the organization. Access rights to the security area is further restricted. The list of persons with access to the security area is regularly reviewed and persons are deleted if necessary.

The Processor’s office has an alarm system installed to detect an unauthorized entry.

  1. The main office door is locked and all entries are registered digitally.
  2. Alarm system is automatically activated at night.

2. System access control

Measures to prevent unauthorized use of IT systems:

The Processor is allowed access to the Controller’s system in two specific scenarios: when there is a need to access shared email mailboxes and when interacting with the ATS systems. All other processing activities are conducted within the Processor's systems hosted on MS Azure.

The access permissions for employees and contractors of the Processor are meticulously validated by the senior management and are closely supervised to assure the security of the data. The access rights are revoked or altered when an individual no longer has the authorization to access certain resources, when their employment contract comes to an end, or during a change in their job role. Regular audits of access rights are carried out to make certain that they correspond with each user's responsibilities.

Authorized individuals within the Processor’s organization are granted access using either personal login credentials or general user profiles. When a key vault is in use, passwords are securely hashed. In cases where there is integration with interactive access to ATS using shared accounts, multi-factor authentication (MFA) is implemented.

3. Personal data access control

Globus AI employs a robust access control system, which includes creating, reviewing, and deleting user accounts.

The Controller handles the management of their user profiles via the Controller's interface, and these accounts are governed through the federated identity provider, unless the Processor has created local users at the request of the Controller.

The Processor has an interface supporting features for defining it’s own users’ profiles, separating tasks and areas of responsibility to limit users access to personal data exclusively to authorized users by applying need-to-know and least-privilege principles.

  1. User profiles can be designed in centralized fashion (with specific privileges for the use of functions and creation, read access, modification, deletion and transfer of data)
  2. Each person can be assigned one or more of the defined profiles when the employment contract takes effect or upon changing roles or jobs.

4. Transfer access control

Measures to ensure that personal data cannot be read, copied, modified or deleted by electronic transmission or transfer or storage on storage devices without permission, and that recipients can be identified and verified when transfer of personal data is performed via electronic transmission:

All electronic transfers are encrypted with SSL/TLS. Recipients are identified and verified using access tokens.

At Globus AI data transfer access control is implemented through Microsoft Azure Active Directory. Additionally, the Microsoft Azure Cloud encrypts all electronic transfers. The senders and recipients are identified and verified using electronic access tokens.

As a result, no personal data can be read, copied, modified or deleted by electronic transmission or transfer or storage on storage devices without explicit permission. Additionally, all recipients can be identified and verified when transfer of personal data is performed via electronic transmission.

5. Pseudonymization measures

All personal or sensitive data will be kept in a restricted database with separate login access. The rest of the data can be stored in an unrestricted database. The separation enables accountability, as only individuals with restricted access and proper training in handing personal data may work with such data. The data in the unrestricted database will have undergone anonymization or pseudonymization and thus cannot be correlated with personal identifiers. The data in the unrestricted database may also be persistent and need not be forgotten. It is enough to remove it from the restricted database, where personal identifiers can be correlated with other data.

When data is collected, each attribute will be inspected to understand if there is a legitimate reason for collecting it or not. When data is ingested into the system, it will be tokenized, and a separate lookup file will be created to associate between the original entry and the token. The lookup file will be stored in the restricted database.

6. Encryption measures

Azure Storage Services Encryption helps protect and safeguard data, including personal data, in support of organizational security commitments and compliance requirements defined by frameworks and regulations such as the GDPR. Azure Storage Service Encryption allows to request that the storage service automatically encrypt the data when writing it to Azure Storage. Microsoft handles all the encryption, decryption, and key management in a fully transparent fashion. All data is encrypted using 256-bit AES (Advanced Encryption Standard) encryption, also known as AES-256, one of the strongest block ciphers available. We can enable this feature on all available redundancy types of Azure File Storage, since both options – LRS (locally redundant storage) and GRS (geo-redundant storage) – are included.

The processor will also use Azure Disk Encryption for virtual machines that are hosted in Azure and have Windows or Linux running as a local operating system. By doing so, all data inside these virtual machines is encrypted automatically as well.

Transparent Data Encryption with Azure SQL Database will help protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest. All of this takes place without requiring changes to the applications.

7. Access control and password routines

We will use Azure Role-Based Access Control (RBAC) to enforce separation of duties. This Azure service enables defining fine-grained access permissions to grant only the amount of access that users need to perform their jobs. Instead of giving everybody unrestricted permissions for Azure resources, we allow only certain actions for accessing personal data.

Azure Key Vault, a cloud-hosted service for managing cryptographic keys and other secrets used in cloud applications, provides capabilities to help with the protection of data and access to data. This Azure service enables us to safeguard cryptographic keys, certificates, and passwords. Azure Key Vault uses specialized hardware security modules (HSMs) for maximum protection and is designed in a way that allows us to maintain control of keys and data.

To minimize the number of people who have access to certain information, such as personal data, we can also use Azure Active Directory Privileged Identity Management. This functionality allows discovering, restricting, and monitoring privileged identities and their access to resources. It is also possible to enforce on-demand, just-in-time administrative access when needed.

8. Routines for critical events

We have adopted Microsoft Azure routines for critical events: https://docs.microsoft.com/en-us/azure/architecture/resiliency/disaster-recovery-azure-applications

9. Control of entry of personal data

Measures to ensure that persons authorized to use the IT system only have access to personal data restricted to the person's established authority:

The Controller manages user profiles through the Controller interface. The Controller’s interface, supports features for defining users’ profiles, separating tasks and areas of responsibility to limit users access to personal data exclusively to authorized users by applying need-to-know and least-privilege principles.

  1. User profiles can be designed in centralized fashion (with specific privileges for the use of functions and creation, read access, modification, deletion and transfer of data)
  2. Each person can be assigned one or more of the defined profiles when the employment contract takes effect or upon changing roles or jobs.

At Globus AI we use Azure Information Protection to automate the process of classifying categories of data, including personal data. The classification is identifiable always, regardless of where the data is stored or with whom it is shared. The persistent labels include visual markings as well as metadata that is added to files and email headers in clear text, so that other services (such as data loss prevention solutions) can identify the classification and take appropriate action.

In addition to tagging personal data in Azure Information Protection, we will use Azure Data Factory and/or Azure HDInsight for this purpose. Azure Data Factory has capabilities to help trace and locate personal data, including visualization and monitoring tools to identify when data arrived and where it came from. There are also capabilities for automating data pipelines with on-demand cloud resource management.

This ensures security and control of access to personal information. Additionally, the foundational customer data protection in Microsoft Azure ensures data segregation, encryption and redundancy.

10. Control of availability

Backup of personal data is done regularly by the Processor

  1. A complete backup is performed at least weekly
  2. Incremental backup is performed at least daily to capture any changes that have occurred since the last full backup.

Backups are saved for 5 weeks and verified regularly (at least yearly) by producing a full restore and by verifying access and integrity of the restored data. Backups are transmitted to location separated from the data. Backups have the same level of security as the original data. A disaster recovery plan is held by the Processor to ensure that the organization, staff, systems and premises necessary to carry out the processing are available within a timeframe that corresponds to the agreed level of service.

To enhance the redundancy of our data, we leverage Microsoft Azure's three-level data redundancy system as appropriate for the type of database. Locally redundant storage (LRS) is replicated three times within a single facility in a single region. LRS protects data from normal hardware failures, except for a failure of the whole facility.

11. Control of separation

Measures to ensure that personal data collected for different purposes can be treated separately:

The Processor processes Controller’s data for providing it’s services to the Controller and improving the Processors products and services, as specified in the JCA. The Processor does not use Controller’s data for other purposes that would require separate processing.

12. Storage Policy

Measures to ensure that personal data are deleted during and after the term of DPA when use is no longer necessary for the initial purpose:

Data is kept during the term of the DPA and deleted as soon as possible and no later than within sixty (60) days from that the Controller terminates the principal agreement or request the personal data to be deleted.

Security measures (including those described in the present DPA) are subject to change at any time by the Processor. The Controller will be informed by the Processor of any significant changes in advance and may obtain up to date information on security measures by sending an email to privacy@globus.ai.

In a case of objections to the changes to these security measures, the Controller informs the Processor about the objections no later than 10 (ten) calendar days. Failure to receive such objections within the specified period means the acceptance of the changes.

General description:

To comply with the General Data Processing Regulation (GDPR), this agreement defines how the parties organise, share and process personal data.  

This Joint Controllership Agreement (“JCA”) together with the General Terms and Conditions globus.ai/legal/gtc (the “GTCs”), Data Processing Agreement - globus.ai/legal/dpa (the “DPA”), accepted by the Customer, constitute legally binding commitment between Globus AI AS («Controller 2» or “Globus”)and it’s customer (“Controller 1, Customer”), from the EffectiveDate.

Globus processes personal data to provide its virtual staffing assistance services as a Processor under the DPA. In this arrangement the parties determine how and why personal data is being processed in other cases described below. These terms  apply unless otherwise stated by the law.

1. Training of ML algorithms

In order to effectively match candidates Globus requires AI algorithms to recommend suitable candidates for assignments (ML component of the Product).  

The main goals and main activities are:

For the Customer/Controller 1 – to place candidates for suitable positions.

For Globus/Controller 2 – to train its artificial intelligence and machine learning algorithms to power the development of the machine learning models. Such improvements may benefit each separate customer whose data were used in any specific instance.

The category of data subjects / the group of people to whom the data relates - Candidates.

Legal basis – legitimate interest.

The processing starts on the Go-live date and ends when the subscription is terminated or a candidate effects their data protection rights, such as the right to erasure, the right to restrict processing, and the right not to be subject to a decision based solely on automated processing.

2. Analysis of customers’ use of the Product

The main goals and main activities are:

For the Customer/Controller 1 – to optimize work of its recruiters – users of Globus Product.

For Globus/Controller 2 – to analyse how customers/users interact with the Product, so Globus can improve, develop and personalise it’s products and services.  

The category of data subjects / the group of people to whom the data relates - Users.

Legal basis – legitimate interest or consent of the users.

The processing starts on the Go-live date and ends when the subscription is terminated or a user effects their data protection rights, such as the right to erasure, the right to restrict processing, and the right not to be subject to a decision based solely on automated processing, or withdraws their consent.

***

Controller 1 acknowledges that as per the compatibility test it evaluated that the processor’s new purposes described above are “compatible” with the initial processing purpose of placing candidates at jobs and hereby the Controller 1 grants explicit permission to process the personal data for the described above purposes. 

Obligations

  • The parties are aware of the General Data Protection Regulation and will endeavor to meet all requirements of the GDPR.  
  • Each party will make sure that data subjects receive the required information (as described in article 13 and 14 of the GDPR) when personal data is collected by that party. They will make sure that data subjects have the name of the controller, the data protection officer, the purposes of data processing, the legal basis for processing and who receives the data. This can for instance be done in a privacy statement/notice.  

Globus describes the processings in the notice within the candidate portal (a static webpage with the list of available assignments) also published on globus.ai/legal/privacy.

  • Each party agrees to takes reasonable, appropriate technical and organizational measures to protect the personal data, so that the risk of data breaches in minimized.  
  • Each party will inform all other parties immediately in the case of a serious information security incident. This way, each party can determine if the serious information security incident is a data breach that must be reported. Parties will keep each other informed whether they have reported the data breach as the controlling party, and if and how they have informed data subjects.  
  • Each party will make sure that that data subjects can make a request to exercise their GDPR rights, including the right of access to data, rectification, erasure, restriction of processing and data portability if applicable.  
  • Whenever a party receives a GDPR request from a data subject, it will inform other party of the request. All parties will then work together so that the request is fully and completely handled. The first party receiving the request will communicate with the data subject.  
  • If one party is audited by their supervisory authority (e.g. the Datatilsynet, ICO) for a joint activity, the other parties will support the audited party, for instance by providing information that is requested by the supervisory authority.  

Amendments

The latest version of this JCA is available at globus.ai/legal/jca.  

Globus may amend this JCA and inform the Customer thereof. Such amendments shall apply beginning ten (10) days from the date of posting it on globus.ai/legal/jca and informing the Customer.

Globus AI AS, registered in Norway under organization number 919 664 886 ("Globus AI"), provides a cloud-based platform powered by Artificial Intelligence (AI) designed to solve staffing difficulties more efficiently by automatically aligning requests with suitable professionals.

The product, which includes the Product Tenant(s)/Platform and corresponding user access rights, is offered to customers on a non-exclusive basis via a subscription model (as software-as-a-service - "SaaS"). In addition, Globus AI may offer additional related services (collectively referred to as the "Services"). The Services ordered by the Customer are outlined in the Quote, and the terms and conditions for such a subscription are specified in these General Terms and Conditions (GTCs).

1. GOVERNING DOCUMENTS

1.1. This General Terms and Conditions (the “GTCs”),the Data Processing Agreement www.globus.ai/legal/dpa (the “DPA”) and the Joint Controller Agreement www.globus.ai/legal/jca (the "JCA") together with the Quote form a legally binding commitment between Globus AI and the Customer from the date the Quote is signed by the Parties (the “Effective Date”). The capitalised terms used in these GTCs without definition have the meanings assigned to them in the Quote.

1.2. These General Terms and Conditions (GTCs) and the Quote explicitly override all previous proposals, negotiations, communications, irrespective of whether they were oral or written, between the Parties (this includes any prior versions of these GTCs). If there is any discrepancy or conflict between these GTCs and the Quote or another document signed by the Parties, these GTCs specify additional provisions to the signed document, but they do not explicitly modify it.

1.3. The latest version of these GTCs is available at globus.ai/legal/gtc Globus AI may amend these GTCs at any time at Globus AI’s sole discretion upon notice to the Customer, which shall be posted on the Globus AI respective website page, and such amendments shall apply to any prospective Services thirty (30) days from the date of posting.

1.4. The specifics of the Globus AI solution and its product functionalities are elaborated in the Product Specification available on our website at globus.ai/legal/prodspec. The Product Specification offers an insight into the potential functionalities of Globus, with the exact features being specified in the Quote. According to clause 8.2 of these GTCs, the Product will align closely with the relevant Product Specification.  

2. COOPERATION FRAMEWORK

2.1. The Product requires a set-up phase to prepare and customize it for the Customer as described in the GTCs.

The access to the Product is provided after a set-up phase used to set up infrastructure, technical environment and prepare custom components. Globus AI will notify the Customer of the date when the Product is made available to the Customer through the cloud (the “Start-Up Date” or "Go-Live date") via e-mail. The invoicing of the subscription fees will commence on the Go-Live date, marking the official start of the Customer's subscription period.

2.2. Before and during the set-up phase, the Customer shall provide Globus AI with necessary access to data and information on the Customer’s source system, and otherwise contribute as required by Globus AI in order to facilitate Globus AI’s performance of its obligations under these GTCs.

2.3. In a case when the prolongation of the set-up phase is due to additional requirements of the Customer to the scope and functionality of the Product or due to the delay in providing accesses or otherwise contribute to the set up, the Parties agree on the new applicable timeline based on the new requirements/scope. However, these changes required by the Customer do not affect the start date of the invoicing of the subscription.

2.4. Globus AI will appoint a representative to provide a project plan for setting up, performing user acceptance testing and starting up the Product, as well as applicable milestones, dependencies, and other technical specifications or related information to the representative designated by the Customer. The representatives appointed by both Parties will be available to respond to any inquiries that might arise within a reasonable period of time, as well as deal with other matters addressed in these GTCs.

For the purposes of these GTCs, the Parties communicate by e-mail through their appointed representatives. The Parties may change their representatives by notifying via email.

2.5. Globus AI may extend the set-up phase due to the necessity to perform additional implementation or for other reasons. All assumptions related to the timeframe necessary for setting up are preliminary and approximate and do not constitute an obligation of Globus AI to perform the set-up within a certain timeframe. Such extension shall not be considered a delay or late delivery of the Product/Services and does not give the Customer any right to claim compensation or other remedies. Globus AI would inform the Customer about such an extension via email.

2.6. The Parties agreed to perform a set-up phase sign-off, confirming that the Product works as described in the Product Specification. The Product will be assumed to have been set-up successfully unless the Customer notifies Globus AI in writing of a defect in the delivery of the Product within 1 month from the date the Product is made available to the Customer through the cloud (“Go-Live date”). Support services are charged for on the time-and-materials basis after the set-up phase is completed.

2.7. Should the Customer decide to change their CRM provider during the subscription term, Globus AI will undertake a scoping exercise to ascertain the level of effort required to provide an implementation with the new CRM. Globus AI will provide a non-binding Statement of Work to Customer outlining the costs associated with the set-up of the Product with the new CRM. Notwithstanding anything to the contrary, subscription fees for the Initial or Renewal terms existing on the date of such changes are payable by the Customer.

3. FEES

3.1.         Subscription fees

3.1.1.      All subscription fees are due and payable in advance and are non-refundable. Invoicing of the subscription fees starts on the Go-Live date, with payment expected within 14 days of the invoice date, nevertheless, not later than 2 months after the Effective date.

3.1.2.     Globus AI will issue invoices according to the invoicing frequency specified in the Quote. The fees for any subsequent renewal terms are invoiced at a then-current standard Globus AI rate.

3.1.3.     During the Subscription Term, you may decide to stop using Globus and choose to cancel your subscription early, provided that, we will not provide any refunds and you will promptly pay all unpaid fees due through the end of the respective subscription term.

3.1.4.     The Customer may add new users at any time during their subscription term for an additional fee at the rate specified in the Quote, those added users will be included in the next payable subscription fee.

3.2.       Additional fees

3.2.1.     The Customer will be charged an additional one-time fee for services to be provided by Globus AI during the set-up phase (the “Set-Up Fee”). The current set-up scope is estimated as described in the Quote. The total amount is invoiced on the Effective Date. 

3.2.2.     The fees for developing new or additional functionality ("Change request") and/or specific features requested by the Customer along with the set-up work required to implement those will be charged separately. This could be on a time-and-materials basis, and/or as an additional subscription cost. All such fees will be specified by Globus AI at the time of the request and will be invoiced monthly. Both parties must approve these charges in advance.

3.2.3.    SMS charges are invoiced based on the usage at the rate and payment frequency described in the Quote (rates for other countries may be provided upon request). The Customer undertakes to pay the fees for SMS and similar services in full. Globus AI may change pricing unilaterally to adjust for changes in the market prices of SMS services.

4. PAYMENT TERMS

4.1. Any payment by the Customer under this Agreement shall be made within 14 days from the invoice date. The Customer must notify Globus AI of any invoice disputes within the payment period or such invoice shall be deemed undisputed.

4.2. Globus AI may modify any rates and prices upon a prior written notification to the Customer. The updated rates and prices take effect 30 (thirty) calendar days after the Customer receives Globus AI’s notification.

4.3. Globus AI reserves the right to adjust the fees based on latest available Norwegian Consumer Price Index or with the latest applicable consumer price index in other country where the Customer operates.

4.4. If the Customer fails to make any payment when due, the Customer shall pay a penalty on any amounts outstanding at the maximum penalty interest rate established by the Norwegian Ministry of Finance, or the interest rate applicable in any other country where the Customer operates.

In addition to other remedies, Globus AI may suspend the Customer’s use of and access to the SaaS Product and suspend provision of its services without any liability for Globus AI.

4.5. All the amounts payable under this Agreement do not include any taxes or other charges, which are the Customer’s responsibility. This includes any payments related to third-party systems like ATS/CRM and their respective APIs and any taxes payable with respect to the SaaS Product and the Services.

4.6. Any discounts granted shall not apply to any renewals.

5. TERM &TERMINATION

5.1. The subscription term spans one year and commences from the Go-live date (the“Subscription Term”). Following this, the subscription will automatically renew for successive one-year term unless either Party chooses to terminate it.

The termination notice should be done in writing and sent within a period of 3 months prior to the expiration of a subscription term, unless otherwise is specified in the Quote. 

5.2. Either Party may terminate the subscription if the other Party commits a material breach of this agreement and fails to cure the breach if it is curable within 30 (thirty) days of receiving a written notice of such a breach.

5.3. Either Party is entitled to terminate the subscription upon negotiations with a one-month prior notice in case when the completion of the set-up is impossible due to the performance limitation of any 3rd party systems.

6. INTELLECTUAL PROPERTY RIGHTS

6.1. Globus AI owns and retains all right, title, and interest, including all intellectual property rights, whether registered or not, in and to the Product and the Services provided under these GTCs and all technology related thereto, including any and all algorithms or processes developed by Globus AI and all derivatives, modifications, or improvements of or to any of the foregoing made by or for Globus AI, whether or not created or developed in connection with the SaaS product and services hereunder.

Any rights not expressly granted to the Customer in these GTCs are reserved by Globus AI.

6.2. Globus AI hereby grants the Customer anon-exclusive, sub-licensable and non-assignable access to use the Product solely for the Customer’s internal business operations in accordance with these GTCs.

6.3. The Customer may not: (i) rent, lease, lend, sell, redistribute the Product or Services; (ii) modify, disassemble, decompile, reverse engineer, or otherwise attempt to derive the source code of the Product or Services or knowingly permit or encourage any third party to do so, (iii) resell, distribute or otherwise transfer the SaaS product or Services, and code comprising the same, or any Globus AI trademark, logo or likeness, or (v) use the Product and Services to develop competing products or services. Any attempt to do so is a violation of the Globus AI’s rights.The Customer may not use the Product or Services for any other purposes than their intended use.

6.4. The Customer owns and retains all right, title, and interest, including all intellectual property rights, in and to data that has been entrusted to Globus AI for processing and the output from Globus AI’s processing of such data.

6.5. The Customer hereby grants Globus AI a non-exclusive, non-transferable, worldwide, royalty-free, fully paid-up, perpetual, and irrevocable right and license to use the data derived from analysis of the Customer’s data in aggregated or de-identified form, for the purposes of providing and improving Globus AI’s products and services.

7. PERSONAL DATA PROTECTION AND INFORMATION SECURITY

Globus AI is to process personal data on behalf of the Customer in accordance with the Data Protection Agreement (the “DPA”) published on the Globus AI’s dedicated webpage at globus.ai/legal/dpa.

8. INDEMNIFICATION

8.1. The Customer agrees to indemnify, defend, and hold harmless Globus AI from and against all claims, demands, suits or proceedings brought against Globus AI by a third party and all resulting liabilities, damages, losses, and expenses awarded by a court or included aspart of a final settlement arising out of (i) the Customer’s breach of these GTCs or other agreements by and between the Parties , (ii) any negligent, fraudulent or misuse of the Service, (iii) the Customer’s content and (iv) the Customer’s violation of any law or the rights of a third party.

8.2. Globus AI shall indemnify, defend, and hold harmless the Customer from and against all claims, demands, suits or proceedings brought against the Customer by a third party and all resulting liabilities, damages, losses, and expenses awarded by a court or included as part of a final settlement, arising out of Globus AI Product and/or Subscription Services direct infringement or misappropriation of such third party’s intellectual property rights (“Claims”).

8.3. The indemnifying Party’s obligations under these GTCs are conditioned on the indemnified Party (i) promptly notify the indemnifying Party in writing of the claim for which indemnification is sought,(ii) reasonably cooperating with the indemnifying Party in connection with the claim, and (iii) tendering sole control to the indemnifying Party over the defense and/or settlement of the claim. The indemnified Party shall have the right to provide for a separate defence with counsel of its own choosing at its own expense.

9. LIMITATION OF LIABILITY

9.1. Globus AI’s liability pursuant to these GTCs shall not exceed the amount paid by the Customer for the Product and/or Services under these GTCs in the 6 (six) months prior to the act that gave rise to the liability, excluding VAT.

9.2. Neither Party shall be liable to the other Party for any special, incidental, indirect, punitive, exemplary or consequential damages, whether foreseeable or unforeseeable, which may arise out of or in connection with these GTCs, regardless of whether either Party has been apprised of the possibility or likelihood of such damages occurring, or whether claims are based on remedies are sought in contract or tort or otherwise.

9.3. Neither Party shall be liable for any force-majeure events (including natural disasters, accidents, civil unrest, strikes, military operations, enactment of legislative acts, orders and decrees of government authorities, and any other circumstances beyond the Parties’ control) and any failure to perform or improper performance in connection with them.

10. NO WARRANTY & DISCLAIMER

10.1. The Service is provided on an “as is” and “as available” basis.

10.2.  Globus AI warrants that (i) the Product will operate in substantial conformity with the applicable Product Specification and (ii) Globus AI will not materially decrease the functionality or overall security of the Product during the applicable subscription term.

10.3. Considering the clause 10.2. hereof Globus AI disclaims to the extent authorized by law any and all other warranties, whether express or implied, including any implied warranties of merchantability or fitness for a particular purpose, of satisfactory quality, of accuracy. Globus AI does not warrant the Customer’s enjoyment of the Product or Services, that the functions contained in or performed or provided by Globus AI Product or Services will meet the Customer’s requirements.

Without limiting the expressly specified obligations if any, Globus AI does not warrant that that the operation of the Product will be uninterrupted or error-free (although Globus AI uses reasonable effort to respond to such requests in a timely manner and bug fixing can not be invoiced as support services), that defects in the Globus AI Product or Services will be corrected, that the Customer will be able to use the Product or Services with the third-party systems or that Globus AI will review the Customer’s data for accuracy. No oral or written information or advice that Globus AI gives shall create a warranty. Globus AI cannot guarantee that Globus AI’s security procedures will be error-free or that unauthorized third parties will never be able to defeat Globus AI’s security measures or those of Globus AI ‘s third party service providers. Globus AI will not be liable for delays, interruptions, service failures or other problems inherent in use of the internet and electronic communications or other systems outside Globus AI’s reasonable control. The Customer may have other statutory rights, but the duration of statutorily required warranties, if any, will be limited to the shortest period permitted by law.

No oral or written information or advice that Globus AI gives shall create a warranty.

10.4. Globus AI cannot and does not guarantee the Product performance if it is dependent on third parties’ products or services.

11. PUBLICITY

11.1. Globus AI may use the Customer’s name and logo on Globus AI’s website, in Globus AI’s marketing materials, and to identify the Customer as a client of Globus AI, provided that any such materials are pre-approved by the Customer. Such approval shall not be unreasonably withheld.

11.2. The Parties further agree to issue a joint statement regarding the Services on the Effective date, subject to the approval of such statement by the Parties.

11.3. If the Customer provides any feedback to Globus AI regarding the Services, Globus AI may use such feedback for marketing purposes, provided that the Customer is notified before such use takes place.

12. CONFIDENTIALITY

12.1. For the purposes of these GTCs,“Confidential Information” means any information, whether or not developed by either Party, including but not limited to pre-existing or new information which relates to all ideas, designs, methods, discoveries, improvements, products, software, trade secrets, product data and specifications, proprietary rights, business affairs, product developments, the customer information or employee information, techniques, models, inventions, data, databases, proprietary code, know-how, pricing terms, business forecast, sales and marketing plans and reports provided to either Party under these GTCs. If there are any doubts as to whether information is subject to confidentiality, it shall be treated as confidential until it is released in writing by the other Party.

12.2. During the term of the cooperation and indefinitely thereafter, each Party will keep and maintain the other Party’s Confidential Information in the strictest of confidence and will not otherwise make the other Party’s Confidential Information available in any form, to any third party (except for the affiliates of the Party or vendors necessary to perform these GTCs, provided those are bound by the similar confidentiality obligations), or use the other Party’s Confidential Information for any purpose other than performance of its obligations under these GTCs.

12.3. Each Party shall be responsible for ensuring that their respective officers, vendors, agents and employees do not disclose, use or distribute the other Party’s Confidential Information in violation of these GTCs and the DPA. Each Party will make commercially reasonable efforts to protect the other Party’s Confidential Information.

12.4. The receiving Party may disclose Confidential Information of the disclosing Party to satisfy applicable laws including, but not limited to, legal demands, requirements, or orders by a competent court of law or governmental body; provided, however, that in such circumstances, to the extent legally permissible, the disclosing  Party shall be advised prior to such disclosure prior to it so that the disclosing  Party has an opportunity to defend, limit, and/or protect against the production or disclosure.

13. APPLICABLE LAW AND DISPUTES CONCERNING THE AGREEMENT GENERAL PROVISIONS

13.1. These GTCs and the DPA shall be governed by and interpreted in accordance with the laws of Norway, without regard to any principles of conflict of laws.

13.2. All disputes arising out of or in connection with these GTCs or the DPA shall be finally settled under the laws of Norway. Both Parties’ consent to Stavanger District Court as the legal venue for any disputes not solved through negations. Either Party shall submit a claim to the other prior to filing a claim to the court.

14. SURVIVAL

14.1. Any provisions that by their nature should survive termination shall survive termination, including, but not limited to:  clauses 3.1.3., 3.2.3. (Subscription fees), 4.4, and 4.5 (Payment terms), article 6 (“Intellectual property rights”), article 8 (“Indemnification”), article 9 (“Limitation of Liability”), article 10 (“No Warranty and Disclaimer”), clause 11.3. (“Customer’s feedback’), article 12 (“Confidentiality”), article 13 (“Applicable law”), clause 14.1 (“Survival”), article 15 (“General provisions”).

15. GENERAL PROVISIONS

15.1. Nothing in these GTCs shall be deemed to create any joint venture, partnership, agency, or independent contractor or other similar relationship between Globus AI and the Customer.

15.2. Neither Party may assign it's rights and obligations without prior written consent of the other Party, which shall not be unreasonably withheld, conditioned or delayed; provided that no such consent shall be required for any assignment by either Party to an entity which succeeds to all or substantially all of such Party’s assets, stock, or business whether by merger, sale, or otherwise.  

15.3. If any provision of these GTCs and/or the DPA is held by a court of competent jurisdiction to be invalid or unenforceable for any reason, the remaining provisions hereof shall be unaffected and remain in full force and effect.  In place of the invalid or unenforceable provision, or to fill a contractual lacuna, such valid and enforceable provision shall apply which reflects as closely as possible the commercial intention of the Parties as regards the invalid, unenforceable or missing provision.

15.4. Failure or delay in enforcing any right or provision of these GTCs or the DPA shall not be deemed a waiver of such right or provision with respect to any subsequent breach.

15.5. The Parties shall give all notices and effect legally significant communications between the Parties in writing by (i) personal delivery, (ii) a nationally-recognized courier service, (iii)first-class registered or certified mail, postage prepaid, to the Party’s registered office address, or to the address that either Party has notified to be that Party’s address for the purposes of this clause and exchange copies of such notices via e-mail of the representatives of the Parties, used during the set-up and cooperation.

15.6. Except with respect to the Customer’s payment obligations and notwithstanding any other provision of these GTCs, a Party shall be excused from any delay or failure in performance of these GTCs to the extent such delay or failure is caused by wildfire, flood, explosion, war, embargo, governmental requirement, civil or military authority, Act of God, or any other causes beyond is reasonable control. Any such delay or failure shall suspend the performance until the cause for the delay or failure is removed.

1. Introduction

At Globus AI AS, we prioritize your privacy. This notice explains what personal data we collect, how we use it, and your rights.

Your personal data is processed by Globus AI AS, registered in Norway under organization number 919 664 886.

Address: Rådhusgata 6, 4306 Sandnes, Norway.

E-mail: privacy@globus.ai

We process personal data of candidates for work placements, users of our system and customers of our clients.

2. Data Collection

We collect

a. General information: name, telephone number, address, e-mail address, work schedule, employment information (temporarily employed etc.), IP address.

b. Work-related data: work history (which employees have attended which assignments), time reports (hours worked, hours scheduled), work schedules and future assignments, assignment information, salary when it is needed.

3. Data Use

We process your personal data to

a. Connect you with most relevant jobs through our SaaS product - Digital assistant for staffing agencies (who are data Controllers in this case).

b. Train our artificial intelligence and machine learning algorithms to power the development of the machine learning models to place candidates for the most suitable positions (if applicable).

Such improvements benefit each separate candidate whose data were used in any specific instance.

4. Collecting Personal Information

Personal information we process is provided to us directly by you responding to a job request in the product. We also receive personal information indirectly, from the recruitment/staffing agency you are working with. If that’s the case, a Joint Controller Agreement published on globus.ai/jca is also applicable.

5. Data Storage

Your information is securely stored in our systems on Microsoft Azure Cloud Computing Platform & Services . We keep your information as long as your information is processed by our partners- staffing agencies in their databases where we got it from. We will also erase your information from our database in a case of your request.

6. Data Sharing

We share your data with cloud computing systems

a. Operations and service maintenance: Microsoft Corporation (Microsoft Azure Cloud Computing Platform & Services), located in Netherlands and Ireland and Microsoft Corporation (Microsoft Office 365, PowerBi), located in Ireland, Netherlands, Austria, Finland 

b. Database: MongoDB Inc. that provides MongoDB Atlas service, data deployment region is EU

c. Email delivery services: Twilio Inc that provides SendGrid  service, data location is US

d. Globus support and help centre: Intercom Inc that provides intercom services, data location is USA

e. SMS delivery services: onlinecity.io that provides GatewayAPI  services with data location in Denmark

We also will share this information with our processors who adhered to the SCCs published on globus.ai/scc that assist us in our development efforts (as those are private individuals, we will be able to provide their details upon request at privacy@globus.ai.). We ill never sell your data.

7. Law Behind Data Processing

By law we are allowed to process your personal data to pursue our legitimate interest (seeArticle 6(1)(f) of the General Data Protection Regulation 2016/679) because training of ML algorithms is inseparable from providing our services. As for the data entrusted by your staffing agency for placement purposes – we process it as a processor as per the DPA globus.ai/dpa

8. Transferring Data Outside the EEA

For the objectives outlined in Section 3 above, we may grant our developers in countries outside the European Economic Area (EEA), such as Montenegro, Kazakhstan, Armenia, and Georgia, access to your personal data. Please be aware that this is not always applicable, as access is granted according to specific roles. We use SCCs as a safeguard, as required by law, to protect your personal data in case of such transfers and made all necessary assessments. Please let us know at privacy@globus.ai if you wish to have any details about international transfer.

9. Exercising Your Rights

Where we use your Personal Data for the activities mentioned in this Privacy Notice, you may:

request further details about how we use your Personal Data, including receiving a copy of your Personal Data (‘Right of access’), request that we correct, update or erase your Personal Data (‘Right to rectification’), request that we restrict the use of your Personal Data (‘Right to restriction’), object to us using it, or that we use it for direct marketing (‘Right to object’).

Where we use your Personal Data specifically based on your consent, you also have the right to request that we transfer your Personal Data to you or a third party (‘Right to data portability’). If you wish to exercise your rights, you can contact us by sending an e-mail to privacy@globus.ai.

9. How to file a complaint

If you have any queries that cannot be clarified as a result of internal dialogue with us or you wish to file a complaint, you can contact the Norwegian Data Protection Authority at https://www.datatilsynet.no

Cover up more assignments every day

Globus significantly reduces the time and effort spent on manual tasks, allowing recruiters to focus on more strategic aspects of the hiring process and human touch

5X

Faster response time

30%

More candidates available

40%

More orders processed
Source: Globus.ai research

FAQs

Can I integrate Globus.ai with my existing solutions?

Yes. Globus.ai can be integrated with existing solutions to ensure the flow of data between all systems. Our implementation team will support you in identifying the best approach.

Is payroll and invoicing a part of the system?

All required information related to payment and invoicing is posted to you ATS system in the right format for quick auto processing. Information related to trust/customer/department/project, assignment and salary information, including dates and working hours, is registered to your ATS system in the right format for further processing.

Do you integrate with Microsoft Outlook and Office 365?

Yes. To ensure that all job orders from your customers are seamlessly funnelled into Globus.ai and prepared to be fulfilled.

Can you read job requirements and orders from portals?

Yes. We capture orders and job requirements from the largest portals in the Nordics. For other countries, please contact us for a free exploration session, our technical representatives are here to help.

Can you read job requirements and orders from emails?

Yes, we capture all relevant information about the assignment(s) from emails and email attachments (spreadsheet, documents, PDFs, and weblinks), and automatically match relevant candidates from your database.

Is our data safe with Globus Staffing, and are you GDPR compliant?

Yes, we are fully GDPR compliant. Protecting your data and keeping it safe is our priority. For more information, please refer to the security measures in our Data Protection and Privacy notice.

Do we implement Responsible AI approach?

Addressing GPT and Data Privacy Concerns

Scope of GDPR with GPT: GDPR primarily governs GPT when personal data is processed.  

Our use cases

1. AI-based Email Extraction: limited to extracting information from emails and signatures.

2. Email Enhancement: generalized email drafting for candidates, doesn't involve personal data. Hence, GDPR concerns are minimal here.

Data Safeguards

Private GPT Instance: We utilize a private GPT instance via Microsoft Azure. This ensures:

- Your data is not available to other customers or OpenAI and are not used to improve OpenAI models or Azure OpenAI models - please see MS dedicated webpage.

- Data storage exclusively within our Azure environment - the Azure OpenAI Service is fully controlled by Microsoft; Microsoft hosts the OpenAI models in Microsoft’s Azure environment and the Service does NOT interact with any services operated by OpenAI (e.g. ChatGPT, or the OpenAI API).

A distinct advantage over US services that might use OpenAI indirectly, as we can opt out from storing prompts and completions, ensuring enhanced data privacy.

Signature Data Trimming

We actively remove personal data from email signatures. While not foolproof, it's rare for personal data to be present in the main email content.

Future Considerations

We're exploring the deployment of a self-hosted model (like LLama 2) in a cloud. This guarantees that only we can access and manipulate user-generated prompts and parsed emails, further enhancing data privacy.

Have questions?