.webp)
Last Updated: 07.11.2025
This Data Processing Addendum (the "DPA") is intended to supplement the Terms of Service, Order Form, or any other licensing agreement or contract ("Master Agreement") entered into by and between the relevant Newployee entity as listed on the Order Form ("Newployee"), and (ii) the other legal entity identified in the Master Agreement that accepts or agrees to this DPA ("Customer"). For purposes of this DPA, Newployee and Customer may be referred to individually as a "party" and collectively as the "parties."
EMEA Region
US Region
APAC Region
In the event of a conflict between this DPA and the Master Agreement, the terms and conditions set forth in this DPA shall supersede and control with respect to such conflict. Any capitalized term that is used, but not otherwise defined, herein shall be ascribed the meaning set forth in the Master Agreement.
This DPA reflects each party's understanding regarding the processing of customer personal data by Newployee for, or on behalf of, Customer. This DPA replaces and supersedes any and all previously agreed upon terms governing the processing of customer personal data.
1.1. Affiliate means any person that is directly or indirectly, through one or more intermediaries, Controlling, Controlled by, or under common Control with, one of the parties hereto. For purposes of this definition, "Control" shall mean possessing, directly or indirectly, the power to direct or cause the direction of the management, policies, and operations of a person, whether through ownership of voting securities or by contract.
1.2. California Consumer Privacy Act ("CCPA") means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and any other applicable amendments (codified at Cal. Civ. Code § 1798.100 et seq.), and includes any and all implementing regulations thereto.
1.3. Customer Personal Data means the Personal Data that Newployee Processes on behalf of Customer.
1.4. Data Controller means an entity that determines the purposes and means of the Processing of Personal Data.
1.5. Data Processor means an entity that Processes Personal Data on behalf of a Data Controller.
1.6. Data Protection Law means all applicable laws, regulations or other binding rules, judicial or administrative interpretation, guidance, approved certification mechanisms or codes of practice (as amended, consolidated or re-enacted from time to time) relating to the processing of Personal Data and privacy in any relevant jurisdiction and any corresponding or supplemental state or national laws or regulations, once in force and applicable. Any reference to any laws no longer in force shall be replaced with references to any laws replacing, amending, extending, re-enacting or consolidating such law, once in force and applicable.
1.7. Data Subject means an identified or identifiable individual whose Personal Data is being Processed by Newployee.
1.8. Documented Instructions means the Processing terms and conditions set forth in the Master Agreement, this DPA, and any applicable Order Form or mutually agreed upon statement of work or similar work order issued thereunder describing Processing responsibilities.
1.9. European Union ("EU") Standard Contractual Clauses means standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.10. General Data Protection Regulation ("GDPR") means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and all applicable European Union (EU) Member State legislation implementing the same.
1.11. Personal Data means any information or data that, alone or in combination with other information or data, can be used to reasonably identify a particular individual, household, or device, and is subject to, or otherwise afforded protection under, an applicable Data Protection Law.
1.12. Process, Processing, or Processes means any action performed on Customer Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transfer or otherwise making available, alignment or combination, restriction, deletion, or destruction.
1.13. Security Event means any actual or reasonable degree of certainty of unauthorized access, use, loss, acquisition, exfiltration, or disclosure of unencrypted Customer Personal Data. A Security Event does not include an Unsuccessful Security Incident.
1.14. Services means products or services provided by Newployee to Customer pursuant to the Master Agreement that involves Newployee Processing of Customer Personal Data on behalf of Customer.
1.15. Subprocessor means any third-party organization engaged by Newployee to Process Customer Personal Data on its behalf.
1.16. Subprocessor List means the list of Subprocessors providing Processing services to Newployee, which may be amended from time to time and can be found at https://www.newployee.com/subprocessors.
1.17. United Kingdom ("UK") Addendum means the International Data Transfer Addendum to the EU Standard Contractual Clauses (B.1.0) issued by the UK Information Commissioner's Office under S119A(1) Data Protection Act 2018, in force 21 March 2022, and as may be amended or replaced by the UK Information Commissioner's Office or/and Secretary.
1.18. Unsuccessful Security Incident means an unsuccessful attempt or activity that does not compromise the security of Customer Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial-of-service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
2.1. Scope; Applicability. This DPA applies where and only to the extent that Newployee Processes Customer Personal Data for or on the behalf of Customer in the course of providing Services pursuant to the Master Agreement. Notwithstanding expiry or termination of the Master Agreement, this DPA will remain in effect until, and will automatically expire upon, deletion or return of all Customer Personal Data by Newployee to Customer.
2.2. Data Ownership. As between Customer and Newployee, Customer owns the Customer Personal Data and all Customer Personal Data shall remain the property of Customer. Customer hereby grants and agrees to grant to Newployee and its Affiliates a non-exclusive, royalty-free, worldwide, sublicensable, right and license to Process the Customer Personal Data to the extent reasonably necessary to provide, monitor, and modify the Services or as otherwise set forth herein or in the Master Agreement.
3.1. Roles and Responsibilities. For the purposes of this DPA, (i) where Customer is considered a Data Controller, then Newployee shall be considered a Data Processor, and (ii) where Customer is considered a Data Processor, then Newployee shall be considered a sub-Processor, provided that in either of the foregoing circumstances, Newployee shall Process any Customer Personal Data only in accordance with the Documented Instructions, unless required to do otherwise by law. In the event Newployee is compelled by law to Process Customer Personal Data other than in accordance with the terms and conditions set forth in the Documented Instructions, Newployee shall notify Customer of that legal requirement prior to Processing, unless such notification is expressly prohibited by law. Additional Processing by Newployee outside the Documented Instructions, if any, will require prior written agreement between Newployee and Customer.
3.2. Details of Processing. The subject matter, duration, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of Data Subjects covered by this DPA are set forth in the Master Agreement and this DPA, including Annex I, and, when necessary, supplemented in an additional Order Form, statement of work or similar work order executed between the parties. The parties agree that Customer is solely responsible for determining the types of Customer Personal Data uploaded to, and used within, the Services.
3.3. CCPA Disclaimer. Each party acknowledges and agrees that the disclosure of Customer Personal Data to the other does not constitute, and is not the intent of either party for such disclosure to constitute, a Sale or Sharing of Customer Personal Data, and if valuable consideration, monetary or otherwise, is being provided by either party, such valuable consideration, monetary or otherwise, is being provided for the rendering of Services and not for the disclosure of Customer Personal Data. Newployee (i) shall not collect, retain, use, or disclose Customer Personal Data for any purpose (including for any commercial purpose) other than for the specific purpose of performing the Services, unless otherwise required by law, (ii) shall not Sell or Share Customer Personal Data, except as necessary to satisfy its obligations under the Master Agreement, (iii) shall not collect, retain, use, or disclose Customer Personal Data outside the direct business relationship between Newployee and Customer, unless expressly permitted by law, and (iv) shall, at Customer's reasonable request, cease any unauthorized Processing of Customer Personal Data and grant Customer authorization to assess and remediate any such unauthorized Processing. This DPA is Newployee's certification, to the extent the CCPA or any other applicable Data Protection Law requires such a certification, that Newployee understands and will comply with the Processing limitations with respect to Customer Personal Data that are reasonable and set forth in the Documented Instructions. The parties acknowledge and agree that the "business purpose" for which Newployee Processes Customer Personal Data is to provide the Services as defined in the applicable Master Agreement. For purposes of this Section 3.3 only, the terms "Business," "Service Provider," "Personal Information," "Sale," and "Sell" shall have the same meaning as set forth in the CCPA (Cal. Civ. Code § 1798.140). The limitations set forth in this Section 3.3 shall not be interpreted to prevent Newployee from complying with an applicable law, statute, regulation, or binding order of a governmental or regulatory body.
4.1. Accuracy; Compliance. Customer shall be responsible for complying with all requirements that apply to it under applicable Data Protection Law and the Documented Instructions it issues to Newployee. Where Customer acts as a Data Controller under this DPA, then Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data; complying with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of Customer Personal Data, including obtaining any necessary consents and authorizations from Data Subjects or otherwise; and, ensuring that the Documented Instructions comply with all applicable laws, statutes, and regulations, including applicable Data Protection Law. Where Customer acts as a Data Processor under this DPA, Customer represents it has executed terms and conditions with the applicable Data Controller requiring the Data Controller to acknowledge and agree that the Data Controller is solely responsible for the accuracy, quality, and legality of Customer Personal Data; complying with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of the Customer Personal Data, including obtaining any necessary consents and authorizations from Data Subjects or otherwise; and, ensuring that the Documented Instructions comply with all applicable laws, statutes, and regulations, including applicable Data Protection Law.
4.2. Lawful Basis. Customer hereby represents to Newployee that Customer has the legal authority and appropriate business purpose to provide Newployee with any and all Customer Personal Data in conjunction with the Services, and when legally required, has obtained the consent from all applicable Data Subjects concerning the Processing described herein. Customer shall inform Newployee, immediately and without undue delay (and in any event within seventy-two (72) hours) if Customer is not able to comply with its responsibilities set forth in the Documented Instructions or if the Documented Instructions violate an applicable Data Protection Law, and in either such circumstance, Newployee shall be permitted, upon notice to Customer, to immediately terminate the Master Agreement or to cease any Processing without being in breach of the Master Agreement.
4.3. Sufficiency. Customer is solely responsible for reviewing the Services, including any available security documentation and features, to determine whether they satisfy Customer's requirements, business needs, and legal obligations. Customer is responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk with respect to Customer Personal Data, securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Services, taking appropriate steps to securely encrypt and/or back up any Customer Personal Data uploaded to the Services, and properly configuring the Services and using available features and functionalities to maintain appropriate security in light of the nature of the Customer Personal Data. Newployee has no obligation to protect Customer Personal Data that Customer transmits, stores or transfers outside of the Services (e.g., offline or on-premise storage).
4.4. Sensitive Personal Data. Unless set forth in Annex 1 of this DPA or otherwise agreed to in Documented Instructions, Customer shall not upload or otherwise input into the Services, any of the following: (i) Sensitive Personal Data, or (ii) Personal Data that is subject to, or otherwise afforded protection under a Data Protection Law applicable in a Restricted Country. For purposes of this clause, the term "Sensitive Personal Data" means "any Personal Data that is afforded special protection under a law or regulation because it could potentially cause harm, damage, or discrimination to an individual if it is disclosed, accessed, or used without authorization, and includes, but is not limited to, social security/insurance numbers and other government identifiers." The term "Restricted Country" means "any country or territory other than Australia, Canada, the European Economic Area, Mexico, the United States of America, or the United Kingdom."
5.1. Confidentiality. Newployee shall at all times maintain the confidentiality of all Customer Personal Data and ensure that individuals who are authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2. Information Security. Newployee shall implement and maintain commercially reasonable technical and organizational security controls to protect and safeguard Customer Personal Data, which shall include written policies describing its security controls and measures and the relevant procedures and responsibilities of Newployee personnel who have access to Customer Personal Data ("Information Security Program"). All of Newployee's employees who have access to Customer Personal Data shall have signed written confidentiality agreements ensuring their duty of confidentiality. Newployee shall designate a senior employee to be responsible for the overall management of Newployee's Information Security Program.
5.3. Updates. Newployee may update, amend, or otherwise alter its Information Security Program at any time, provided that any such update, amendment, or alteration does not increase the likelihood of a Security Event or cause the Information Security Program to not meet the minimum standards set forth herein.
6.1. Requests. Newployee shall, to the extent legally permitted, promptly notify Customer if Newployee receives a request from (i) a government or regulatory authority regarding the Processing of, or seeking access to, Customer Personal Data ("Government Data Request") or (ii) a Data Subject seeking to exercise a data protection right or privilege, such as the right to access or deletion (a "Data Subject Request"), and Newployee shall, to the extent practicable, seek to direct the requestor to Customer. Taking into account the nature of the Processing, Newployee shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Government Data Request or a Data Subject Request. In addition, to the extent Customer, in its use of the Services, does not have the ability to address the Government Data Request or the Data Subject Request, Newployee shall, upon Customer's request, furnish commercially reasonable efforts to assist Customer in responding to such requests, to the extent Newployee is legally required to do so. For the avoidance of doubt, Customer shall be fully responsible and liable for timely and appropriately responding to a Government Data Request or a Data Subject Request.
6.2. Impact Assessments; Consultation. Upon Customer's request, Newployee shall provide Customer with reasonable cooperation and assistance (i) needed to fulfil Customer's obligation under applicable Data Protection Law to undertake a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information and to the extent such information is available to Newployee and (ii) with respect to a consultation with a government or regulatory authority.
7.1. Obligations. On termination or expiration of the Master Agreement or this DPA, Customer may wish to instruct Newployee to delete or return all Customer Personal Data (including copies) from Newployee's systems in accordance with applicable Data Protection Law. Newployee will comply with this instruction as soon as reasonably practicable, and where technically feasible, and Newployee shall not be required to delete or return Customer Personal Data to the extent that Newployee is required by applicable law or order of a governmental or regulatory body to retain some or all of the Customer Personal Data or such Customer Personal Data is required for Newployee to enforce or defend its legal rights or interests. In addition, except to the extent required by applicable law, Newployee shall not be required to delete or return Customer Personal Data archived on backup systems if Newployee shall securely isolate it and protect it from any further Processing and such Customer Personal Data is deleted in accordance with Newployee's standard overwriting and deletion policies.
8.1. Reporting to Customer. Upon confirming a Security Event and where legally required, Newployee shall: (i) taking into account the nature of Processing of Customer Personal Data and the information available to Newployee, promptly (and in accordance with the timeframes set forth in applicable Data Protection Law) notify Customer of a Security Event when it discovers the same, (ii) provide timely information to Customer relating to the Security Event as it becomes known or as is reasonably requested by Customer, and (iii) promptly take reasonable steps to contain, investigate, and mitigate any Security Event, and Newployee may (in Newployee's sole and reasonable judgment) retain an independent data incident response consultant to contain, investigate, and remediate the Security Event on its behalf.
8.2. Incident Notification. Newployee will cooperate with Customer as reasonably requested by Customer in responding to Customer's regulators or customers with respect to a Security Event. Notwithstanding the foregoing, Customer acknowledges and agrees (i) Customer shall be solely responsible for notifying or disclosing a Security Event to any applicable government agency, individual, or entity, (ii) Customer may not name Newployee in consumer or regulatory notifications or press releases without Newployee's consent (except as required by law), and (iii) Customer shall coordinate with Newployee on developing the content of any public statements or any required notices for the affected Data Subjects and/or notices to the relevant supervisory authorities related to the Security Event if Newployee's name will be mentioned in such notices. Nothing in this DPA shall be interpreted to prevent Newployee from complying with its own data incident notification requirements, provided Newployee may not name Customer in regulatory notifications or press releases without Customer's consent (except as required by law), and Newployee shall coordinate with Customer on developing the content of any public statements or any required regulatory notices related to the Security Event if Customer's name will be mentioned in such public statements or notices.
8.3. Disclaimer. Any notification, assistance, or cooperation provided by Newployee in accordance with this Section 8 shall not be interpreted or construed as an admission of liability, wrongdoing, or fault by Newployee. To the extent Newployee is responsible for the Security Event, Newployee shall be liable for the costs to investigate and respond to the Security Event in accordance with the terms of the Master Agreement.
9.1. Security Reports. Upon request (which shall not occur more than annually), Newployee shall provide to Customer, on a confidential basis, a summary copy of (if available) any third-party audit report or certification applicable to the Services ("Report"), so that Customer can verify Newployee's compliance with this DPA. If Customer reasonably believes that the Report provided is insufficient to demonstrate Newployee's compliance with this DPA, Newployee shall also provide written responses (on a confidential basis) to reasonable requests for information made by Customer related to the Processing of Customer Personal Data.
9.2. Audits; Inspections. If Customer reasonably believes that the information provided by Newployee pursuant to Section 9.1 is insufficient to demonstrate compliance with this DPA, Newployee will allow an audit by Customer, or a third-party auditor appointed by Customer and reasonably acceptable to Newployee, in relation to Newployee's Processing of Customer Personal Data. Any such audit will be at Customer's expense, with reasonable advance notice, conducted during normal business hours no more than once per year and subject to Newployee's reasonable security and confidentiality requirements and provided that the exercise of rights under this Section 9.2 would not infringe Data Protection Laws.
10.1. Authorized Subprocessors. Customer agrees that Newployee may, in accordance with this Section 10 of the DPA, engage Subprocessors to Process Customer Personal Data and Customer hereby approves the Subprocessors currently engaged by Newployee as set forth in its Subprocessor List.
10.2. Subprocessor Obligations. Newployee shall (i) ensure that each Subprocessor is subject to binding obligations that require the Subprocessor to protect the Customer Personal Data to the same standard as Newployee and (ii) remain responsible for each Subprocessor's compliance with the obligations of this DPA and for any failure by the Subprocessor to fulfil its data protection obligations.
10.3. Changes to Sub-processors. Newployee shall inform Customer of any intended changes concerning the addition or replacement of a Subprocessor, thereby giving Customer the opportunity to object to such changes, provided Customer may only object to such changes involving Subprocessors if there are reasonable grounds to believe that the Subprocessor will be unable to comply with the Documented Instructions. If Customer objects to Newployee's use of a new Subprocessor, Customer shall notify Newployee in writing within thirty (30) business days after receiving notification regarding the proposed use of the Subprocessor. Customer's failure to object in writing within such time period shall constitute approval to use the new Subprocessor. Customer acknowledges and accepts that the refusal to permit the use of a particular new Subprocessor may result in Newployee's inability to satisfy, in full or in part, the terms and conditions of the Master Agreement, and in such circumstances, Customer may terminate the Master Agreement in accordance with the termination provisions of the Master Agreement, and such termination shall not constitute termination for breach of the Master Agreement. Newployee shall notify Customer of any intended changes with respect to a Subprocessor (i) by clearly and conspicuously furnishing notice to Customer via a disclaimer or other notice on the Services, (ii) via email communication to Customer through any email contact information Customer has furnished to Newployee and Customer is responsible for ensuring any such contact information is true, accurate, and complete (and Customer may provide such contact information to Newployee at privacy@newployee.com), or (iii) any other reasonable method that furnishes Customer with appropriate notice and opportunity to respond. Any changes to Newployee's Subprocessors will be reflected at https://www.newployee.com/subprocessors.
11.1. EU Standard Contractual Clauses. Customer hereby acknowledges and agrees that, for providing the Services under the Master Agreement, Newployee may transfer Customer Personal Data across national borders. To the extent Customer Personal Data originates in the European Economic Area (EEA), the parties undertake to apply the provisions of the EU Standard Contractual Clauses to the transfer and Processing of such Customer Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 11.1 of this DPA, their provisions will be deemed incorporated by reference into this DPA. If the parties apply and incorporate the EU Standard Contractual Clauses pursuant to this Section 11.1 of this DPA, then the following shall apply:
11.1.1. Module Two or Three. The EU Standard Contractual Clauses shall be governed by Module Two (Transfer controller to processor) clauses where Customer is a Controller and Newployee is a Processor, and by Module 3 (Transfer processor to processor) where Customer is a Processor and Newployee is a sub-Processor. Customer and/or Customer's EU Affiliates shall be the data exporter and Newployee shall be the data importer.
11.1.2. Docking Clause. Each party acknowledges and agrees that Clause 7 (Optional – Docking Clause) of the EU Standard Contractual Clauses shall be deemed incorporated therein and applicable to the parties and third parties.
11.1.3. Sub-Processing Clause. For purposes of Clause 9(a) (Use of sub-processors) of the EU Standard Contractual Clauses, the parties agree that Option 2 (General Authorization) shall apply to the parties in accordance with Section 10 of this DPA.
11.1.4. Governing Law. For purposes of Clause 17 (Governing law) of the EU Standard Contractual Clauses, the parties agree that the EU Standard Contractual Clauses shall be governed by the law of Estonia and select Clause 17, "Option 1" to this effect.
11.1.5. Choice of Forum Clauses. For purposes of Clause 18 (Choice of forum and jurisdiction) of the EU Standard Contractual Clauses, the parties agree that any dispute arising from the EU Standard Contractual Clauses shall be resolved by the Courts of Estonia.
11.1.6. Transfer Details (Annex I). Annex I of the EU Standard Contractual Clauses shall be completed with the information set forth in Annex I of this DPA.
11.1.7. Security Controls (Annex II). Annex II of the EU Standard Contractual Clauses shall be completed with the information set forth in Annex II of this DPA.
11.1.8. Sub-Processing List (Annex III). Annex III of the EU Standard Contractual Clauses shall be completed with Section 10 of this DPA.
11.1.9. Onward Transfers. Newployee shall not transfer Customer Personal Data received under the EU Standard Contractual Clauses (nor permit such Customer Personal Data to be transferred) to a Subprocessor outside the EEA, unless (i) the Subprocessor is established in a country which the European Commission has granted an adequacy status, or (ii) Newployee implements and maintains such measures as necessary to ensure the transfer is in compliance with Data Protection Law, and such measures may include (without limitation) executing the EU Standard Contractual Clauses, Module 3 (Transfer processor to processor).
11.2. UK Addendum. To the extent Customer Personal Data originates in the UK, the parties undertake to apply the provisions of the EU Standard Contractual Clauses, as updated and amended by the UK Addendum, to the transfer and Processing of such Customer Personal Data and hereby incorporate the UK Addendum by reference into this DPA, provided the UK Addendum shall be supplemented and completed, as appropriate, with the descriptions and party responsibilities, clause options, and similar criteria set forth in Section 11.1 of this DPA and the Annexes attached hereto. For the avoidance of doubt, with respect to UK data transfers, in the event of a conflict between the EU Standard Contractual Clauses and the UK Addendum, the terms and hierarchy set forth in the UK Addendum shall supersede and control with respect to such UK data transfers only. Newployee shall not transfer any Customer Personal Data received under the UK Addendum (nor permit such Customer Personal Data to be transferred) to a Subprocessor outside the UK, unless (i) the Subprocessor is established in a country which the UK authorities have granted an adequacy status, or (ii) Newployee implements and maintains such measures as necessary to ensure the transfer is in compliance with Data Protection Law, and such measures may include (without limitation) executing the EU Standard Contractual Clauses, Module 3 (Transfer processor to processor) and the UK Addendum thereto.
11.3. Changes to the Law. If and to the extent this DPA or the EU Standard Contractual Clauses or the UK Addendum are no longer recognized by the European Commission or other local privacy authorities as an adequate mechanism for the transfer of Customer Personal Data from the European Economic Area, United Kingdom or other country, as applicable, to the United States, then the parties shall abide by another adequate transfer mechanism, provided however that if, after commercially reasonable efforts, Newployee is unable to comply with another adequate transfer mechanism, Customer or Newployee may, upon prior advance written notice to the other party, terminate the Master Agreement and obtain a refund from Newployee of pre-paid fees prorated for the remainder of the unused Services as Customer's exclusive remedy.
12.1. Governing Clauses; Severance. The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Master Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity, and this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Master Agreement. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.2. Limitation of Liability. Each party's and all of its affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer affiliates and Newployee and Newployee affiliates, whether in contract, tort or under any other theory of liability, is subject to the "Limitation of Liability" section of the Master Agreement and the applicable cap (maximum) for the relevant party set forth in the Master Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Master Agreement and all DPAs together. For the avoidance of doubt, Newployee and its affiliates' total liability for all claims from Customer and all of Customer's affiliates arising out of or related to the Master Agreement and all DPAs shall apply in the aggregate for all claims under both the Master Agreement and all DPAs established under the Master Agreement, including by Customer and all Customer affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Customer affiliate that is a contractual party to any such DPA. To the extent required by law, this section is not intended to (i) modify or limit either party's liability for Data Subject claims made against a party where there is joint and several liability, or (ii) limit either party's responsibility to pay penalties imposed on such party by a regulatory authority.
Data Exporter:
Data Importer:
Unless otherwise set forth in an order form or similar documentation, the description of the Customer Personal Data transferred is as follows:
(i) Categories of Data Subjects: Customer's employees, contractors, job applicants, and other personnel whose data is processed through the HR automation platform.
(ii) Categories of Personal Data: The personal data transferred concerns: employee identification data (name, employee ID, contact information), employment details (position, department, manager, start/end dates), work-related data (performance information, training records, workflow interactions), and system usage data.
(iii) Sensitive/Special Categories of Personal Data: None, unless explicitly authorized by Customer in writing and in compliance with applicable Data Protection Law.
(iv) Transfer Frequency: Continuous, and for so long as Customer uses the Services, and for the termination and transition period thereafter, as set forth in the Master Agreement.
(v) Nature of Processing: For Newployee to provide HR automation services to Customer, including employee onboarding, offboarding, workflow management, and related HR processes.
(vi) Purpose of Data Processing: To provide HR automation services via Newployee's Subscription Services.
(vii) The Period for which Personal Data will be Retained: For the duration of the Master Agreement and for the termination and transition period, thereafter, as set forth in the Master Agreement.
(viii) Third-Party Sub-Processor Transfers: The relevant information as set forth in Annex III.
The competent supervisory authority in accordance with Clause 13 of the EU Standard Contractual Clauses is the supervisory authority of Estonia.
Newployee's Information Security Program shall meet or exceed the information security requirements, standards, and criteria set forth in this Annex II:
Newployee maintains a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 15 minutes as described in the SLA.
The list of current Subprocessors, as amended from time to time, can be found at https://www.newployee.com/subprocessors. Current categories of Subprocessors include:
This DPA represents the complete agreement between the parties regarding data processing and supersedes any prior agreements or understandings.
