Privacy and Security Addendum
This Privacy and Security Addendum (“Privacy Addendum”) is made part of the JBIO Master Services Agreement (“MSA”) entered into by and between Customer and ZipRecruiter, pursuant to which Customer has purchased a Subscription to or obtained a Free Trial of the Services.
The purpose of this Addendum is to reflect the parties’ agreement concerning the Processing of Customer End Users’ Personal Data that concerns (A) Customer End Users located in jurisdictions outside the Territory, and/or (B) Personal Data not otherwise subject to EU/U.K. Data Protection Laws, and memorialize that such Personal Data shall be Processed only for limited and specific purposes as described herein and in the MSA. All capitalized terms not defined herein shall have the meaning set forth in the MSA.
For purposes of this Privacy Addendum, the following definitions shall apply:
“Applicable Privacy Law” means any applicable Federal, state, provincial, or local law or regulation relating to data security, data protection and/or privacy, that applies to Personal Data. This term includes, but is not limited to, the (i) California Consumer Privacy Act, Cal. Civ. Code Title 1.81.5, § 1798.100 et seq., as amended (“CCPA”), including as modified by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et. seq. and its implementing regulations (“CPRA”), as amended or superseded from time to time; (ii) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq., and its implementing regulations (“CDPA”); (iii) Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), and (iv) any other applicable Federal, state, provincial, or local law or regulation regarding privacy and data protection that is in effect or will come into effect during the term of the MSA.
“Personal Data” shall mean information that is (i) provided to ZipRecruiter by or at the direction of Customer, or information which is obtained by ZipRecruiter on behalf of Customer, in the course of ZipRecruiter’s performance of the Services under the MSA, and (ii) expressly defined as personal data or personal information under Applicable Privacy Law and only to the extent of the obligations under such law, respectively.
“Process” or “Processing” means any operation or set of operations which is performed on data or on sets of Personal Data, whether or not by automated means, either actively or passively. Processing includes, but shall not be limited to, collating, collecting, purchasing, accessing, gathering, obtaining, recording, organizing, sorting, structuring, storing, adapting, altering, retrieving, modifying, consulting, using, disclosing, making available, aligning, combining, receiving, erasing, or destroying such Personal Data. For purposes of clarity, the term “Processing” includes words or phrases of like meaning as defined and used under Applicable Privacy Law, including, but not limited to, “collect” or “collecting”.
2. Processing; Limitations on Use of Personal Data
ZipRecruiter may Process Personal Data in the course of performing the Services on behalf of Customer as described in the MSA. ZipRecruiter will Process such Personal Data only on behalf of Customer, according to the directions set forth by Customer (including as set forth in the MSA) and in compliance with Applicable Privacy Law. For a list of the categories of Personal Data processed based on the Services provided, please email [email protected]
ZipRecruiter will not retain, use, or disclose any Personal Data for any purpose other than (i) providing the Services and/or products under the MSA; (ii) using the Personal Data internally to verify or maintain the quality, safety, or security of the Services and/or products, and to improve, upgrade or enhance the Services as permitted by Applicable Privacy Law; (iii) using the Personal Data to comply with ZipRecruiter’s legal obligations; (iv) to retain and employ another service provider or sub- processor to assist in providing the Services and/or products under the MSA; or (v) for any other purpose that is expressly permitted of ‘service providers’ (or other similar words and phrases of like meaning) under Applicable Privacy Law, including but not limited to the service provider exemptions under the CPRA and implementing regulations.
ZipRecruiter acknowledges that it is prohibited from: (i) “selling” the Personal Data or processing Personal Data for purposes of conducting targeted advertising (including “sharing” or conducting “cross-context behavioral advertising” as defined by the CPRA); (ii) retaining, using, or disclosing the Personal Data for any purpose other than providing the Services to Customer and/or products specified in the MSA, except as otherwise expressly permitted in the MSA or this Privacy Addendum; (iii) retaining, using, or disclosing the Personal Data outside of the direct business relationship with Customer, except as otherwise expressly permitted in the MSA, Applicable Privacy Law, or this Privacy Addendum; or (iv) with respect to its obligations under the CPRA, combining the Personal Data that ZipRecruiter receives from, or on behalf of, Customer with personal information that it receives from, or on behalf of, another person(s), or collects from its own interaction with a consumer, provided that ZipRecruiter may combine Personal Data to perform any business purpose as defined in the CPRA.
Customer retains control of the Personal Data and remains responsible for its compliance obligations under Applicable Privacy Law, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to ZipRecruiter. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which Customer acquired Personal Data or instructed ZipRecruiter to process Personal Data on its behalf as a Processor.
3. Confidentiality; Security
ZipRecruiter will restrict access to Personal Data to those authorized persons who need such information to provide the Services under the MSA. ZipRecruiter will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data.
ZipRecruiter will implement administrative, physical, technical, and organizational measures and good industry practices to ensure the security of Personal Data, including the measures specified in https://www.ziprecruiter.global/en/security.
Customer grants a general authorization to ZipRecruiter to appoint third party sub-processors and vendors (each, a “Subprocessor”) to support the performance and fulfillment of the Services. Subprocessors shall be engaged pursuant to a written contract that requires the Subprocessor to meet its obligations under Applicable Privacy Law, and which imposes on such Subprocessor terms substantially no less protective of Personal Data than those imposed on ZipRecruiter in this Privacy Addendum. A current list of Sub-processors for the Services are identified at www.jobboard.io/Subprocessor-List.
Customer grants a general authorization to ZipRecruiter to allow each Subprocessor to appoint another third party subprocessor and/or vendor to support the performance of ZipRecruiter’s Services hereunder (each, a “Sub-subprocessor”) provided that such engagement is pursuant to a written contract which imposes on such Sub-subprocessor terms substantially no less protective of Personal Data than those imposed on ZipRecruiter in this Privacy Addendum. Information on Sub-subprocessors is available in the Subprocessor List.
5. Oversight and Monitoring of Compliance
Customer shall have the right to take reasonable steps to ensure that ZipRecruiter uses Personal Data in a manner consistent with the obligations under Applicable Privacy Law. Upon the reasonable request of Customer (and subject to an applicable non-disclosure agreement satisfactory to ZipRecruiter, where required), ZipRecruiter shall make available to Customer such information reasonably necessary to help demonstrate ZipRecruiter’s or Customer’s compliance with the obligations under Applicable Privacy Law, including any third-party assessments of ZipRecruiter’s policies and/or technical and organizational measures (such as ZipRecruiter’s SOC 2 report).
ZipRecruiter shall notify Customer if ZipRecruiter can no longer meet the obligations under this Privacy Addendum and/or Applicable Privacy Law.
6. Data Subject Rights; Retention of Personal Data
ZipRecruiter shall cooperate and provide the ability for Customer to directly manage and respond to deletion and access requests from Customer End Users within the Admin Panel. At any time before or shortly after termination of this MSA, Customer can download a file of Customer data contained on the Job Board in CSV format via the Admin Panel.
If ZipRecruiter receives a request from a Customer End User in relation to his or her Personal Data, ZipRecruiter reserves the right to respond to that Customer End User and/or advise that Customer End User to submit his/her request to Customer directly and in either case, Customer will be responsible for responding to any such request. Pursuant to the foregoing, Customer accepts that ZipRecruiter may provide such Customer End User with pertinent information about Customer including, without limitation, Customer’s identity and the name and contact information of Customer’s representatives.
Upon termination or expiration of the Agreement, Customer may request that ZipRecruiter return (where feasible) or delete Personal Data. ZipRecruiter shall have the right to retain Personal Data stored pursuant to the MSA in the ordinary course of business, pursuant to its retention schedules for client materials and in accordance with applicable law, including any exemptions permitted under Applicable Privacy Law.
7. GDPR Data Processing Agreement
Where ZipRecruiter will process the Personal Data of data subjects in the European Economic Area, European Union, Switzerland, and/or the United Kingdom, the GDPR Data Processing Agreement, available at: www.jobboard.io/GDPR-Data-Processing-Addendum (“GDPR DPA”) will govern.
In the event of any conflict between the terms of this Privacy Addendum and the terms of the GDPR DPA, the conflicting provision of the GDPR DPA shall prevail.
In the event there is any conflict or difference between the terms and conditions of this Privacy Addendum and the terms and conditions of the MSA, the terms and conditions of this Privacy Addendum will prevail. ZipRecruiter may amend this Privacy Addendum at any time and Customer’s continued use of the Services after such change indicates Customer’s acceptance of the amended Privacy Addendum.
ZipRecruiter may amend this Privacy Addendum at any time and Customer’s continued use of the Services after such change indicates Customer’s acceptance of the amended Privacy Addendum.
Last updated: December 20, 2022